mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
044b39f4ec
Correct naming of older drafts
452 lines
15 KiB
Plaintext
452 lines
15 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
INTERNET-DRAFT S. Legg
|
||
draft-legg-ldap-acm-admin-01.txt Adacel Technologies
|
||
Intended Category: Standards Track September 18, 2002
|
||
|
||
|
||
Access Control Administration in LDAP
|
||
|
||
Copyright (C) The Internet Society (2002). All Rights Reserved.
|
||
|
||
Status of this Memo
|
||
|
||
|
||
This document is an Internet-Draft and is in full conformance with
|
||
all provisions of Section 10 of RFC2026.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as
|
||
Internet-Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress".
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
Distribution of this document is unlimited. Comments should be sent
|
||
to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
|
||
author.
|
||
|
||
This Internet-Draft expires on 18 March 2003.
|
||
|
||
|
||
1. Abstract
|
||
|
||
This document adapts the X.500 directory administrative model, as it
|
||
pertains to access control administration, for use by the Lightweight
|
||
Directory Access Protocol. The administrative model partitions the
|
||
Directory Information Tree for various aspects of directory data
|
||
administration, e.g. subschema, access control and collective
|
||
attributes. This document provides the particular definitions that
|
||
support access control administration, but does not define a
|
||
particular access control scheme.
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 1]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in RFC 2119 [RFC2119].
|
||
|
||
|
||
2. Table of Contents
|
||
|
||
1. Abstract .................................................... 1
|
||
2. Table of Contents ........................................... 2
|
||
3. Introduction ................................................ 2
|
||
4. Access Control Administrative Areas ......................... 3
|
||
5. Access Control Scheme Indication ............................ 3
|
||
6. Access Control Information .................................. 4
|
||
7. Access Control Subentries ................................... 4
|
||
8. Applicable Access Control Information ....................... 5
|
||
9. Security Considerations ..................................... 5
|
||
10. Acknowledgements ........................................... 6
|
||
11. Normative References ....................................... 6
|
||
12. Informative References ..................................... 6
|
||
13. Copyright Notice ........................................... 7
|
||
14. Author's Address ........................................... 7
|
||
|
||
|
||
3. Introduction
|
||
|
||
This document adapts the X.500 directory administrative model [X501],
|
||
as it pertains to access control administration, for use by the
|
||
Lightweight Directory Access Protocol (LDAP) [RFC2251].
|
||
|
||
The administrative model [ADMIN] partitions the Directory Information
|
||
Tree (DIT) for various aspects of directory data administration, e.g.
|
||
subschema, access control and collective attributes. The parts of
|
||
the administrative model that apply to every aspect of directory data
|
||
administration are described in [ADMIN]. This document describes the
|
||
administrative framework for access control.
|
||
|
||
An access control scheme describes the means by which access to
|
||
directory information, and potentially to access rights themselves,
|
||
may be controlled. This document describes the framework for
|
||
employing access control schemes but does not define a particular
|
||
access control scheme. Two access control schemes known as Basic
|
||
Access Control and Simplified Access Control are defined by [BAC].
|
||
Other access control schemes MAY be defined by other documents.
|
||
|
||
Schema definitions are provided using LDAP description formats
|
||
[RFC2252]. Note that the LDAP descriptions have been rendered with
|
||
additional white-space and line breaks for the sake of readability.
|
||
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 2]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
This document is derived from, and duplicates substantial portions
|
||
of, Sections 4 and 8 of [X501].
|
||
|
||
|
||
4. Access Control Administrative Areas
|
||
|
||
The specific administrative area [ADMIN] for access control is termed
|
||
an Access Control Specific Area (ACSA). The root of the ACSA is
|
||
termed an Access Control Specific Point (ACSP) and is represented in
|
||
the DIT by an administrative entry [ADMIN] which includes
|
||
accessControlSpecificArea as a value of its administrativeRole
|
||
operational attribute [SUBENTRY].
|
||
|
||
An ACSA MAY be partitioned into subtrees termed inner administrative
|
||
areas [ADMIN]. Each such inner area is termed an Access Control
|
||
Inner Area (ACIA). The root of the ACIA is termed an Access Control
|
||
Inner Point (ACIP) and is represented in the DIT by an administrative
|
||
entry which includes accessControlInnerArea as a value of its
|
||
administrativeRole operational attribute.
|
||
|
||
An administrative entry can never be both an ACSP and an ACIP. The
|
||
corresponding values can therefore never be present simultaneously in
|
||
the administrativeRole attribute.
|
||
|
||
Each entry necessarily falls within one and only one ACSA. Each such
|
||
entry may also fall within one or more ACIAs nested inside the ACSA
|
||
containing the entry.
|
||
|
||
An ACSP or ACIP has zero, one or more subentries that contain Access
|
||
Control Information (ACI).
|
||
|
||
|
||
5. Access Control Scheme Indication
|
||
|
||
The access control scheme (e.g. Basic Access Control [BAC]) in force
|
||
in an ACSA is indicated by the accessControlScheme operational
|
||
attribute contained in the administrative entry for the relevant
|
||
ACSP.
|
||
|
||
The LDAP description [RFC2252] for the accessControlScheme
|
||
operational attribute is:
|
||
|
||
( 2.5.24.1 NAME 'accessControlScheme'
|
||
EQUALITY objectIdentifierMatch
|
||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
|
||
SINGLE-VALUE USAGE directoryOperation )
|
||
|
||
An access control scheme conforming to the access control framework
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 3]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
described in this document MUST define a distinct OBJECT IDENTIFIER
|
||
value to identify it through the accessControlScheme attribute.
|
||
|
||
Only administrative entries for ACSPs are permitted to contain an
|
||
accessControlScheme attribute. If the accessControlScheme attribute
|
||
is absent from a given ACSP, the access control scheme in force in
|
||
the corresponding ACSA, and its effect on operations, results and
|
||
errors, is implementation defined.
|
||
|
||
Any entry or subentry in an ACSA is permitted to contain ACI if and
|
||
only if such ACI is permitted by, and consistent with, the access
|
||
control scheme identified by the value of the accessControlScheme
|
||
attribute of the ACSP.
|
||
|
||
|
||
6. Access Control Information
|
||
|
||
There are three categories of Access Control Information (ACI):
|
||
entry, subentry and prescriptive.
|
||
|
||
Entry ACI applies to only the entry or subentry in which it appears,
|
||
and the contents thereof. Subject to the access control scheme, any
|
||
entry or subentry MAY hold entry ACI.
|
||
|
||
Subentry ACI applies to only the subentries of the administrative
|
||
entry in which it appears. Subject to the access control scheme, any
|
||
administrative entry, for any aspect of administration, MAY hold
|
||
subentry ACI.
|
||
|
||
Prescriptive ACI applies to all the entries within a subtree or
|
||
subtree refinement of an administrative area (either an ACSA or an
|
||
ACIA), as defined by the subtreeSpecification attribute of the
|
||
subentry in which it appears. Prescriptive ACI is only permitted in
|
||
subentries of an ACSP or ACIP. Prescriptive ACI in the subentries of
|
||
a particular administrative point never applies to the same or any
|
||
other subentry of that administrative point, but does apply to the
|
||
subentries of subordinate administrative points, where those
|
||
subentries are within the subtree or subtree refinement.
|
||
|
||
|
||
7. Access Control Subentries
|
||
|
||
Each subentry which contains prescriptive ACI MUST have
|
||
accessControlSubentry as a value of its objectClass attribute. Such
|
||
a subentry is called an access control subentry.
|
||
|
||
The LDAP description [RFC2252] for the accessControlSubentry
|
||
auxiliary object class is:
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 4]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY )
|
||
|
||
A subentry of this object class MUST contain at least one
|
||
prescriptive ACI attribute of a type consistent with the value of the
|
||
accessControlScheme attribute of the corresponding ACSP.
|
||
|
||
The subtree or subtree refinement for an access control subentry is
|
||
termed a Directory Access Control Domain (DACD). A DACD can contain
|
||
zero entries, and can encompass entries that have not yet been added
|
||
to the DIT, but does not extend beyond the scope of the ACSA or ACIA
|
||
with which it is associated.
|
||
|
||
Since a subtreeSpecification may define a subtree refinement, DACDs
|
||
within a given ACSA may arbitrarily overlap.
|
||
|
||
|
||
8. Applicable Access Control Information
|
||
|
||
Although particular items of ACI may specify attributes or values as
|
||
the protected items, ACI is logically associated with entries.
|
||
|
||
The ACI that is considered in access control decisions regarding an
|
||
entry includes:
|
||
|
||
(1) Entry ACI from that particular entry.
|
||
|
||
(2) Prescriptive ACI from access control subentries whose DACDs
|
||
contain the entry. Each of these access control subentries is
|
||
necessarily either a subordinate of the ACSP for the ACSA
|
||
containing the entry, or a subordinate of the ACIP for an ACIA
|
||
that contains the entry.
|
||
|
||
The ACI that is considered in access control decisions regarding a
|
||
subentry includes:
|
||
|
||
(1) Entry ACI from that particular subentry.
|
||
|
||
(2) Prescriptive ACI from access control subentries whose DACDs
|
||
contain the subentry, excluding those belonging to the same
|
||
administrative point as the subentry for which the decision is
|
||
being made.
|
||
|
||
(3) Subentry ACI from the administrative point associated with the
|
||
subentry.
|
||
|
||
|
||
9. Security Considerations
|
||
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 5]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
This document defines a framework for employing an access control
|
||
scheme, i.e. the means by which access to directory information and
|
||
potentially to access rights themselves may be controlled, but does
|
||
not itself define any particular access control scheme. The degree
|
||
of protection provided, and any security risks, are determined by the
|
||
provisions of the access control schemes (defined elsewhere) making
|
||
use of this framework.
|
||
|
||
Security considerations that apply to directory administration in
|
||
general [ADMIN] also apply to access control administration.
|
||
|
||
|
||
10. Acknowledgements
|
||
|
||
This document is derived from, and duplicates substantial portions
|
||
of, Sections 4 and 8 of [X501].
|
||
|
||
|
||
11. Normative References
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
|
||
Access Protocol (v3)", RFC 2251, December 1997.
|
||
|
||
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
|
||
"Lightweight Directory Access Protocol (v3): Attribute
|
||
Syntax Definitions", RFC 2252, December 1997.
|
||
|
||
[ADMIN] Legg, S., "Directory Administrative Model in LDAP",
|
||
draft-legg-ldap-admin-xx.txt, a work in progress,
|
||
September 2002.
|
||
|
||
[SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
|
||
draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
|
||
August 2002.
|
||
|
||
|
||
12. Informative References
|
||
|
||
[BAC] Legg, S., "Basic and Simplified Access Control in LDAP",
|
||
draft-legg-ldap-acm-bac-xx.txt, a work in progress,
|
||
September 2002.
|
||
|
||
[COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
|
||
draft-zeilenga-ldap-collective-xx.txt, a work in progress,
|
||
August 2002.
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 6]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
[X501] ITU-T Recommendation X.501 (02/2001), Information
|
||
technology - Open Systems Interconnection - The Directory:
|
||
Models
|
||
|
||
|
||
13. Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2002). All Rights Reserved.
|
||
|
||
This document and translations of it may be copied and furnished to
|
||
others, and derivative works that comment on or otherwise explain it
|
||
or assist in its implementation may be prepared, copied, published
|
||
and distributed, in whole or in part, without restriction of any
|
||
kind, provided that the above copyright notice and this paragraph are
|
||
included on all such copies and derivative works. However, this
|
||
document itself may not be modified in any way, such as by removing
|
||
the copyright notice or references to the Internet Society or other
|
||
Internet organizations, except as needed for the purpose of
|
||
developing Internet standards in which case the procedures for
|
||
copyrights defined in the Internet Standards process must be
|
||
followed, or as required to translate it into languages other than
|
||
English.
|
||
|
||
The limited permissions granted above are perpetual and will not be
|
||
revoked by the Internet Society or its successors or assigns.
|
||
|
||
This document and the information contained herein is provided on an
|
||
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
||
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
||
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
||
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
||
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
14. Author's Address
|
||
|
||
Steven Legg
|
||
Adacel Technologies Ltd.
|
||
405-409 Ferntree Gully Road
|
||
Mount Waverley, Victoria 3149
|
||
AUSTRALIA
|
||
|
||
Phone: +61 3 9451 2107
|
||
Fax: +61 3 9541 2121
|
||
EMail: steven.legg@adacel.com.au
|
||
|
||
|
||
15. Appendix A - Changes From Previous Drafts
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 7]
|
||
|
||
INTERNET-DRAFT Access Control Administration September 18, 2002
|
||
|
||
|
||
15.1 Changes in Draft 01
|
||
|
||
Section 4 has been extracted to become a separate Internet draft,
|
||
draft-legg-ldap-admin-00.txt. The subsections of Section 5 have
|
||
become the new Sections 4 to 8. Editorial changes have been made to
|
||
accommodate this split. No technical changes have been introduced.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Legg Expires 18 March 2003 [Page 8]
|
||
|