mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-12 10:54:48 +08:00
1401 lines
36 KiB
Plaintext
1401 lines
36 KiB
Plaintext
|
||
|
||
|
||
Network Working Group S. Haripriya
|
||
Internet-Draft Jaimon. Jose, Ed.
|
||
Updates: 02 (if approved) Jim. Sermersheim
|
||
Intended status: Standards Track Novell, Inc.
|
||
Expires: July 9, 2007 January 5, 2007
|
||
|
||
|
||
LDAP: Dynamic Groups for LDAPv3
|
||
draft-haripriya-dynamicgroup-02
|
||
|
||
Status of this Memo
|
||
|
||
By submitting this Internet-Draft, each author represents that any
|
||
applicable patent or other IPR claims of which he or she is aware
|
||
have been or will be disclosed, and any of which he or she becomes
|
||
aware will be disclosed, in accordance with Section 6 of BCP 79.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF), its areas, and its working groups. Note that
|
||
other groups may also distribute working documents as Internet-
|
||
Drafts.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
The list of current Internet-Drafts can be accessed at
|
||
http://www.ietf.org/ietf/1id-abstracts.txt.
|
||
|
||
The list of Internet-Draft Shadow Directories can be accessed at
|
||
http://www.ietf.org/shadow.html.
|
||
|
||
This Internet-Draft will expire on July 9, 2007.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (C) The Internet Society (2007).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 1]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Abstract
|
||
|
||
This document describes the requirements, semantics, schema elements,
|
||
and operations needed for a dynamic group feature in LDAP. A dynamic
|
||
group is defined here as a group object with a membership list of
|
||
distinguished names that is dynamically generated using LDAP search
|
||
criteria. The dynamic membership list may then be interrogated by
|
||
LDAP search and compare operations, and may also be used to find the
|
||
groups that an object is a member of. This feature eliminates a huge
|
||
amount of the administrative effort required today for maintaining
|
||
group memberships and role-based operations in large enterprises.
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Conventions used in this document . . . . . . . . . . . . . . 4
|
||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||
3. Requirements of a dynamic group feature . . . . . . . . . . . 6
|
||
4. Schema and Semantic Definitions for Dynamic Groups . . . . . . 7
|
||
4.1. Object Classes . . . . . . . . . . . . . . . . . . . . . . 7
|
||
4.1.1. dynamicGroup . . . . . . . . . . . . . . . . . . . . . 7
|
||
4.1.2. dynamicGroupOfUniqueNames . . . . . . . . . . . . . . 7
|
||
4.1.3. dynamicGroupAux . . . . . . . . . . . . . . . . . . . 7
|
||
4.1.4. dynamicGroupOfUniqueNamesAux . . . . . . . . . . . . . 7
|
||
4.2. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 8
|
||
4.2.1. memberQueryURL . . . . . . . . . . . . . . . . . . . . 8
|
||
4.2.2. excludedMember . . . . . . . . . . . . . . . . . . . . 11
|
||
4.3. member . . . . . . . . . . . . . . . . . . . . . . . . . . 11
|
||
4.4. uniqueMember . . . . . . . . . . . . . . . . . . . . . . . 11
|
||
4.5. dgIdentity . . . . . . . . . . . . . . . . . . . . . . . . 11
|
||
4.5.1. dgIdentity - Security implications . . . . . . . . . . 12
|
||
5. Advertisement of support for dynamic groups . . . . . . . . . 13
|
||
6. Dynamic Group Operations . . . . . . . . . . . . . . . . . . . 14
|
||
6.1. Existing Operations . . . . . . . . . . . . . . . . . . . 14
|
||
6.1.1. Access to resources in the directory . . . . . . . . . 14
|
||
6.1.2. Reading a dynamic group object . . . . . . . . . . . . 14
|
||
6.1.3. 'Is Member Of' functionality . . . . . . . . . . . . . 15
|
||
6.2. New Extensions . . . . . . . . . . . . . . . . . . . . . . 16
|
||
6.2.1. Managing the static members of a dynamic group . . . . 16
|
||
7. Performance Considerations . . . . . . . . . . . . . . . . . . 17
|
||
7.1. Caching of Dynamic Members . . . . . . . . . . . . . . . . 17
|
||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
|
||
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
|
||
10. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 20
|
||
11. Normative References . . . . . . . . . . . . . . . . . . . . . 21
|
||
Appendix A. Example Values for memberQueryURL . . . . . . . . . . 22
|
||
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
|
||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 2]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Intellectual Property and Copyright Statements . . . . . . . . . . 25
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 3]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
1. Conventions used in this document
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in [1].
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 4]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
2. Introduction
|
||
|
||
The LDAP schema described in [4] defines two object classes:
|
||
'groupOfNames', and 'groupOfUniqueNames', that hold a static list of
|
||
distinguished names in their 'member' or 'uniqueMember' attributes
|
||
respectively, and are typically used to describe a group of objects
|
||
for various functions. These grouping functions range from simple
|
||
group membership applications such as email distribution lists to
|
||
describing common authorization for a set of users The administration
|
||
and updating of these membership lists must be done by specifically
|
||
modifying the DN values in the member or uniqueMember attributes.
|
||
Thus, each time a change in membership happens, a process must exist
|
||
which adds or removes the particular entry's DN from the member
|
||
attribute. For example, consider an organization, where the access
|
||
to its facilities is controlled by membership in a directory group.
|
||
Assume that all employees in a department have been added to the
|
||
group that provides access to the required department facility. If
|
||
an employee moves from one department to another, the administrator
|
||
must remove the employee from one group and add him to another.
|
||
Similarly consider an organization that wants to provide access to
|
||
its facility, to both interns and employees on weekdays, but only to
|
||
employees on weekends. It would be effort-consuming to achieve this
|
||
with static groups.
|
||
|
||
"Dynamic groups" are like normal groups, but they let one specify
|
||
criteria to be used for evaluating membership to a group; the
|
||
membership of the group is determined dynamically by the directory
|
||
servers involved. This lets the group administrator define the
|
||
membership in terms of attributes, and let the DSAs worry about who
|
||
are the actual members. This solution is more scalable and reduces
|
||
administrative costs. This can also supplement static groups in LDAP
|
||
to provide flexibility to the user.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 5]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
3. Requirements of a dynamic group feature
|
||
|
||
The following requirements SHOULD be met by a proposal for the
|
||
dynamic groups feature:
|
||
|
||
1. Creation and administration of dynamic groups should be done
|
||
using normal LDAP operations.
|
||
|
||
2. Applications must be able to use dynamic groups in the same way
|
||
that they are able to use static groups for listing members and
|
||
for membership evaluation.
|
||
|
||
3. Interrogation of a dynamic group's membership should be done
|
||
using normal LDAP operations, and should be consistent. This
|
||
means that all authorization identities with the same permission
|
||
to the membership attribute of a dynamic group (such as 'read')
|
||
should be presented with the same membership list.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 6]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
4. Schema and Semantic Definitions for Dynamic Groups
|
||
|
||
The dynamic group classes are defined by the following schema
|
||
|
||
4.1. Object Classes
|
||
|
||
The following object classes MUST be supported, and their semantics
|
||
understood by the server, for it to support the dynamic groups
|
||
feature.
|
||
|
||
4.1.1. dynamicGroup
|
||
|
||
( <OID.TBD> NAME 'dynamicGroup' SUP groupOfNames STRUCTURAL MAY
|
||
(memberQueryURL $ excludedMember $ dgIdentity ))
|
||
|
||
This structural object class is used to create a dynamic group
|
||
object. It is derived from groupOfNames, which is defined in [4].
|
||
|
||
4.1.2. dynamicGroupOfUniqueNames
|
||
|
||
( <OID.TBD> NAME 'dynamicGroupOfUniqueNames' SUP groupOfUniqueNames
|
||
STRUCTURAL MAY (memberQueryURL $ excludedMember $ dgIdentity ))
|
||
|
||
This structural object class is used to create a dynamic group object
|
||
whose membership list is held in a uniqueMember attribute. It is
|
||
derived from groupOfUniqueNames, which is defined in [4].
|
||
|
||
4.1.3. dynamicGroupAux
|
||
|
||
( <OID.TBD> NAME 'dynamicGroupAux' SUP groupOfNames AUXILIARY MAY
|
||
(memberQueryURL $ excludedMember $ dgIdentity ))
|
||
|
||
This auxiliary object class is used to convert an existing object to
|
||
a dynamic group or to create an object of another object class but
|
||
with dynamic group capabilities. This is derived from groupOfNames
|
||
which is defined in [4].
|
||
|
||
4.1.4. dynamicGroupOfUniqueNamesAux
|
||
|
||
( <OID.TBD> NAME 'dynamicGroupOfUniqueNamesAux' SUP groupOfUniqueNames
|
||
AUXILIARY MAY (memberQueryURL $ excludedMember $ dgIdentity ))
|
||
|
||
This auxiliary object class is used to convert an existing object to
|
||
a dynamic group of unique names or to create an object of another
|
||
object class but with dynamic group capabilities. This is derived
|
||
from groupOfUniqueNames which is defined in [4].
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 7]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
4.2. Attributes
|
||
|
||
The following attribute names MUST be supported by the server.
|
||
|
||
4.2.1. memberQueryURL
|
||
|
||
This attribute describes the membership of the list using an LDAPURL
|
||
[3].
|
||
|
||
(<OID.TBD> NAME 'memberQueryURL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||
|
||
The value of memberQueryURL is encoded as an LDAPURL [3]
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 8]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
The BNF from [3] is listed here for reference.
|
||
ldapurl = scheme COLON SLASH SLASH [host [COLON port]] [SLASH dn
|
||
[QUESTION [attributes] [QUESTION [scope] [QUESTION [filter] [QUESTION
|
||
extensions]]]]]
|
||
; <host> and <port> are defined
|
||
; in Sections 3.2.2 and 3.2.3
|
||
; of [RFC3986].
|
||
; <filter> is from Section 3 of
|
||
; [RFC4515], subject to the
|
||
; provisions of the
|
||
; "Percent-Encoding" section
|
||
; below.
|
||
scheme = "ldap"
|
||
dn = distinguishedName ; From Section 3 of [RFC4514],
|
||
; subject to the provisions of
|
||
; the "Percent-Encoding"
|
||
; section below.
|
||
attributes = attrdesc *(COMMA attrdesc)
|
||
attrdesc = selector *(COMMA selector)
|
||
selector = attributeSelector ; From Section 4.5.1 of
|
||
; [RFC4511], subject to the
|
||
; provisions of the
|
||
; "Percent-Encoding" section
|
||
; below.
|
||
scope = "base" / "one" / "sub"
|
||
extensions = extension *(COMMA extension)
|
||
extension = [EXCLAMATION] extype [EQUALS exvalue]
|
||
extype = oid ; From section 1.4 of [RFC4512].
|
||
exvalue = LDAPString ; From section 4.1.2 of
|
||
; [RFC4511], subject to the
|
||
; provisions of the
|
||
; "Percent-Encoding" section
|
||
; below.
|
||
EXCLAMATION = %x21 ; exclamation mark ("!")
|
||
SLASH = %x2F ; forward slash ("/")
|
||
COLON = %x3A ; colon (":")
|
||
QUESTION = %x3F ; question mark ("?")
|
||
|
||
|
||
For the purpose of evaluating dynamic members, the directory server
|
||
uses only the dn, scope, filter and extensions fields. All remaining
|
||
fields are ignored if specified. If other fields are specified, the
|
||
server SHALL ignore them and MAY omit them when presenting the value
|
||
to a client. The dn is used to specify the base dn from which to
|
||
start the search for dynamic members. The scope specifies the scope
|
||
with respect to the dn in which to search for dynamic members. The
|
||
filter specifies the criteria with which to select objects for
|
||
dynamic membership.
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 9]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
4.2.1.1. The x-chain extension
|
||
|
||
A new extension is defined for use of the memberQueryURL in dynamic
|
||
groups, named 'x-chain'. x-chain does not take a value. When x-chain
|
||
is present, the server must follow any search continuation references
|
||
to other servers while searching for dynamic members. When x-chain
|
||
is absent, the dynamic members computed will be only those that are
|
||
present on the server from which the search is made. A directory
|
||
server supporting the memberQueryURL MAY support the x-chain
|
||
extension, thus the x-chain extension could be critical or non-
|
||
critical as specified by the '!' prefix to the extension type.
|
||
|
||
4.2.1.2. Semantics of multiple values for memberQueryURL
|
||
|
||
The memberQueryURL MAY have multiple values, and in that case, the
|
||
members of the dynamic group will be the union of the members
|
||
computed using each individual URL value. This is useful in
|
||
specifying a group membership that is made up from subtrees rooted at
|
||
different base DNs, and possibly using different filters.
|
||
|
||
4.2.1.3. Condition of membership
|
||
|
||
An object O is a member of a dynamic group G if and only if
|
||
|
||
(( O is a value of the 'member' or 'uniqueMember' attribute of G)
|
||
|
||
OR
|
||
|
||
(( O is selected by the membership criteria specified in the
|
||
'memberQueryURL' attribute values of G)
|
||
|
||
AND
|
||
|
||
( O is not listed in the 'excludedMember' attribute of G) ))
|
||
|
||
If a member M of a dynamic group G happens to be a dynamic or a
|
||
static group, the static or dynamic members of M SHALL NOT be
|
||
considered as members of G. M is a member of G though.
|
||
|
||
The last condition is imposed because
|
||
|
||
o Recursively evaluating members of members may degrade the
|
||
performance of the server drastically.
|
||
|
||
o Looping may occur particularly in situations where the search
|
||
chains across multiple-servers.
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 10]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
o Dynamic membership assertions (compare operation) cannot be
|
||
optimized if recursive memberships are allowed. Without
|
||
recursion, comparisons can be made light-weight.
|
||
|
||
4.2.2. excludedMember
|
||
|
||
( <OID.TBD> NAME 'excludedMember' SUP distinguishedName )
|
||
|
||
This attribute is used to exclude entries from being a dynamic member
|
||
of a dynamic group. Thus an entry is a dynamic member of a dynamic
|
||
group if and only if it is selected by the member criteria specified
|
||
by the 'memberQueryURL' attribute or explicitly added to the member
|
||
or uniqueMember attribute, and it is not listed in the
|
||
'excludedMember' attribute.
|
||
|
||
4.3. member
|
||
|
||
( 2.5.4.31 NAME 'member' SUP distinguishedName )
|
||
|
||
Defined in [4], this attribute is overloaded when used in the context
|
||
of a dynamic group. It is used to explicitly specify static members
|
||
of a dynamic group. If the same entry is listed in both the 'member'
|
||
and 'excludedMember' attributes, the 'member' overrides the
|
||
'excludedMember', and the entry is considered to be a member of the
|
||
group. This attribute is also used to interrogate both the static
|
||
and dynamic member values of a dynamic group object. Subclasses of
|
||
this attribute are NOT considered in this manner.
|
||
|
||
4.4. uniqueMember
|
||
|
||
( 2.5.4.32 NAME 'uniqueMember' SUP distinguishedName )
|
||
|
||
Defined in [4], this attribute is overloaded when used in the context
|
||
of a dynamic group. It is used to specify the static members of a
|
||
dynamic group. If the same entry is listed in both the
|
||
'uniqueMember' and 'excludedMember' attributes, the 'uniqueMember'
|
||
overrides the 'excludedMember', and the entry is considered to be a
|
||
member of the group. This attribute is also used to interrogate both
|
||
the static and dynamic member values of a dynamic group object.
|
||
Subclasses of this attribute are NOT considered in this manner.
|
||
|
||
4.5. dgIdentity
|
||
|
||
( <OID.TBD> NAME 'identity' SUP distinguishedName SINGLE-VALUE )
|
||
|
||
In order to provide consistent results when processing the search
|
||
criteria, the server must use a single authorization identity. If
|
||
the authorization of the bound identity is used, the membership list
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 11]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
will vary, from identity to identity due to differing access
|
||
controls. This may either be done by the server authenticating as
|
||
the dgIdentity prior to performing a search or compare operation, or
|
||
may be done by simply assuming the authorization of the dgIdentity
|
||
when performing those operations. As server implementations vary, so
|
||
may the mechanisms to achieve consistent results through the use of
|
||
the dgIdentity. In the case that the server authenticates as the
|
||
dgIdentity, it may be required by the server that this identity have
|
||
proper authentication credentials, and it may be required that this
|
||
identity reside in the DIB of the local server.
|
||
|
||
In the absence of an identity value, or in case the identity value
|
||
cannot be used, the server will process the memberQueryURL as the
|
||
anonymous identity. This attribute MAY be supported, and represents
|
||
the identity the server will use for processing the memberQueryURL.
|
||
|
||
4.5.1. dgIdentity - Security implications
|
||
|
||
Because this attribute indirectly but effectively grants anyone with
|
||
read or compare access to the member or uniqueMember attribute
|
||
sufficient permission to gain a DN result set from the
|
||
memberQueryURL, server implementations SHOULD NOT allow this
|
||
attribute to be populated with the DN of any object that is not
|
||
administered by the identity making the change to this attribute.
|
||
For purposes of this document, to "administer an object" indicates
|
||
that the administrative identity has the ability to fully update the
|
||
access control mechanism in place the object in question. As of this
|
||
writing, there is no way to describe further what it means to be
|
||
fully able to administer the access control mechanism for an object,
|
||
so this definition is left as implementation-specific.
|
||
|
||
This requirement will allow an entity that has privileges to
|
||
administer a particular subtree (meaning that entity can add, delete,
|
||
and update objects in that subtree), to place in the dgIdentity DNs
|
||
of only those objects it administers.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 12]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
5. Advertisement of support for dynamic groups
|
||
|
||
If the dynamic groups schema is not present on an LDAP server, it
|
||
MUST be assumed that the dynamic groups feature is not supported.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 13]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
6. Dynamic Group Operations
|
||
|
||
6.1. Existing Operations
|
||
|
||
The following operations SHOULD expose the dynamic groups
|
||
functionality. These operations do not require any change in the
|
||
LDAP protocol to be exchanged between the client and server.
|
||
|
||
6.1.1. Access to resources in the directory
|
||
|
||
If access control items are set on a target resource object in the
|
||
directory, with the subject being a dynamic group object, then all
|
||
the members of the group object, including the dynamic members, will
|
||
get the same permissions on the target entry. This would be the most
|
||
useful application of dynamic groups as seen by an administrator
|
||
because it lets the server control access to resources based on
|
||
dynamic membership to a trustee (subject of ACI) of the resource.
|
||
The way to specify a dynamic ACL is currently implementation
|
||
specific, as there is no common ACL definition for LDAP, and hence
|
||
will be dealt with in a separate document or later (TO BE DONE).
|
||
|
||
6.1.2. Reading a dynamic group object
|
||
|
||
When the member attributes of a dynamic group object is listed by the
|
||
client using an LDAP search operation, the member values returned
|
||
SHOULD contain both the static and dynamic members of the group
|
||
object. This functionality will not require a change to the
|
||
protocol, and the clients need not be aware of dynamic groups to
|
||
exploit this functionality. This feature is useful for clients that
|
||
determine access privileges to a resource by themselves, by reading
|
||
the members of a group object. It will also be useful to
|
||
administrators who want to see the result of the query URL that they
|
||
set on the dynamic group entry. Note that this overloads the
|
||
semantics of the 'member' and 'uniqueMember' attributes. This could
|
||
lead to some surprises for the client .
|
||
|
||
for example: Clients that read the member attribute of a dynamic
|
||
group object and then attempt to remove values (which were dynamic)
|
||
could get an error specifying such a value was not there.
|
||
|
||
Example:
|
||
|
||
Let cn=dg1,o=myorg be a dynamic group object with the following
|
||
attributes stored in the directory.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 14]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
member: cn=admin,o=myorg
|
||
|
||
excludedMember: cn=guest,ou=finance,o=myorg
|
||
|
||
excludedMember: cn=robin,ou=finance,o=myorg
|
||
|
||
memberQueryURL:
|
||
ldap:///ou=finance,o=myorg??sub?(objectclass=organizationalPerson)
|
||
|
||
If there are 5 organizationalPerson objects under ou=finance,o=myorg
|
||
with common names bob, alice, john, robin, and guest, then the output
|
||
of a base-scope LDAP search at cn=dg1,o=myorg, with the attribute
|
||
list containing 'member' will be as follows:
|
||
|
||
dn: cn=dg1,o=myorg
|
||
|
||
member: cn=admin,o=myorg
|
||
|
||
member: cn=bob,ou=finance,o=myorg
|
||
|
||
member: cn=alice,ou=finance,o=myorg
|
||
|
||
member: cn=john,ou=finance,o=myorg
|
||
|
||
6.1.3. 'Is Member Of' functionality
|
||
|
||
The LDAP compare operation allows one to discover whether a given DN
|
||
is in the membership list of a dynamic group. Again, the server
|
||
SHOULD produce consistent results among different authorization
|
||
identities when processing this request, as long as those identities
|
||
have the same access to the member or uniqueMember attribute. Using
|
||
the data from the example in Section 6.1.2, a compare on
|
||
cn=dg1,o=myorg, for the AVA member=cn=bob,ou=finance,o=myorg would
|
||
result in a response of compareTrue (assuming the bound identity was
|
||
authorized to compare the member attribute of cn=dg1,o=myorg).
|
||
|
||
Likewise, a search operation that contains an equalityMatch or
|
||
presence filter, naming the member or uniqueMember attribute as the
|
||
attribute (such as (member= cn=bob,ou=finance,o=myorg), or
|
||
(member=*)), will cause the server to evaluate this filter against
|
||
the rules given in Section 4.2.1.3 in the event that the search is
|
||
performed on a dynamic group object. As of this writing, no other
|
||
matching rules exist for the distinguished name syntax, thus no
|
||
requirements beyond equalityMatch are given here.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 15]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
6.2. New Extensions
|
||
|
||
The following new extensions are added for dynamic group support.
|
||
|
||
6.2.1. Managing the static members of a dynamic group
|
||
|
||
Because a dynamic group overloads the semantics of the member and
|
||
uniqueMember attributes, a mechanism is needed to retrieve the static
|
||
values found in these attributes for management purposes. To serve
|
||
this need, a new attribute option is defined here called 'x-static'.
|
||
Attribute options are discussed in Section 2.5 of [2]. This option
|
||
SHALL only be specified with the 'member' or 'uniqueMember'
|
||
attribute. When the LDAP server does not understand the semantics of
|
||
this option on a given attribute, the option SHOULD be ignored. This
|
||
attribute option is only used to affect the transmitted values, and
|
||
does not impose sub-typing semantics on the attribute.
|
||
|
||
This option MAY be specified by a client during a search request in
|
||
the list of attributes to be returned, i.e. member;x-static. In this
|
||
case, the server SHALL only return those members of the dynamic group
|
||
that are statically listed as values of the member or uniqueMember
|
||
attribute. The evaluation process listed in Section 9 SHALL NOT be
|
||
used to populate the values to be returned.
|
||
|
||
This option MAY be specified is either an equalityMatch or presence
|
||
search filter. In this case, the server evaluates only the values
|
||
statically listed in the member or uniqueMember attribute, and does
|
||
not apply the evaluation process listed in Section 9.
|
||
|
||
This option MAY be specified in update operations such as add and
|
||
modify, but SHOULD be ignored, as its presence is semantically the
|
||
same as its non-presence.
|
||
|
||
Note to user: Performing a search to read a dynamic group, with a
|
||
filter item such as (member=*), and specifying member;x-static, may
|
||
result in a search result entry that has no member attribute. This
|
||
may seem counter-intuitive.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 16]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
7. Performance Considerations
|
||
|
||
When the x-chain extension is present on the memberQueryURL, the
|
||
server MUST follow any search continuation references to other
|
||
servers while searching for dynamic members. This may be expensive
|
||
and slow in a true distributed environment. The dynamicGroup
|
||
implementation can consider a distributed caching feature to improve
|
||
the performance. An outline of such a distributed caching is given
|
||
below.
|
||
|
||
7.1. Caching of Dynamic Members
|
||
|
||
Since the dynamic members of a group are computed every time the
|
||
group is accessed, the performance could be affected. An
|
||
implementation of dynamic groups can get around this problem by
|
||
caching the computed members of a dynamic group locally and using the
|
||
cached data subsequently. One way to do this is to create pseudo-
|
||
objects for each dynamic group on every server that holds an object
|
||
that is a dynamic member of the group. With this, the computation of
|
||
the dynamic members of a group reduces to the task of reading the
|
||
pseudo-objects from each server. These pseudo-objects need to be
|
||
linked from the original dynamic group to speed up the member
|
||
computation. Also, since these are cached objects, appropriate
|
||
timeouts need to be associated with the cache after which the cache
|
||
should be invalidated or refreshed
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 17]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
8. Security Considerations
|
||
|
||
This document discusses the use of one object as the identity
|
||
(Section 4.5) with which to read information for another object. If
|
||
the creation of the dgIdentity attribute is uncontrolled, an intruder
|
||
could potentially create a dynamic group with the identity of, say,
|
||
the administrator, to be able to read the directory as the
|
||
administrator, and see information which would be otherwise
|
||
unavailable to him. Thus, a person adding an object as identity of a
|
||
dynamic group should have appropriate permissions on the object being
|
||
added as identity.
|
||
|
||
This document also discusses using dynamic memberships to provide
|
||
access for resources in a directory. As the dynamic members are not
|
||
created by the administrator, there could be surprises for the
|
||
administrator in the form of certain objects getting access to
|
||
certain resources through dynamic membership, which the administrator
|
||
never intended. So the administrator should be wary of such
|
||
problems. The administrator could view the memberships and make sure
|
||
that anybody who is not supposed to be a member of a group is added
|
||
to the excludedMember list.
|
||
|
||
Denial of service attacks can be launched on an LDAP server, by
|
||
repeatedly searching for a dynamic group with a large membership list
|
||
and listing the member attribute. A more effective form of denial of
|
||
service attack could be launched by making searches of the form
|
||
(member="somedn") at the top of tree and closing the client
|
||
connection as soon as the search starts. Some administrative limits
|
||
be imposed to avoid such situations.
|
||
|
||
The dynamic groups feature could be potentially misused by a user to
|
||
circumvent any administrative size-limit restriction placed on the
|
||
server. In order to search an LDAP server and obtain the names of
|
||
all the objects on the server irrespective of admin size-limit
|
||
restriction on the server, the LDAP user could create a dynamic group
|
||
with a memberQueryURL which matches all objects in the tree, and list
|
||
just that one object.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 18]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
9. IANA Considerations
|
||
|
||
There are no IANA considerations.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 19]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
10. Conclusions
|
||
|
||
This document discusses the syntax, semantics and usage of dynamic
|
||
groups in LDAPv3.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 20]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
11. Normative References
|
||
|
||
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
|
||
Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[2] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
|
||
Directory Information Models", RFC 4512, June 2006.
|
||
|
||
[3] Smith, M. and T. Howes, "Lightweight Directory Access Protocol
|
||
(LDAP): Uniform Resource Locator", RFC 4516, June 2006.
|
||
|
||
[4] Sciberras, A., "Lightweight Directory Access Protocol (LDAP):
|
||
Schema for User Applications", RFC 4519, June 2006.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 21]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Appendix A. Example Values for memberQueryURL
|
||
|
||
1. This memberQueryURL value specifies the membership criteria for a
|
||
dynamic group entry as "all inetorgperson entries that also have
|
||
their title attribute set to 'manager', and are in the DIT-wide
|
||
subtree under ou=hr,o=myorg ".
|
||
|
||
memberQueryURL: ldap:///
|
||
ou=hr,o=myorg??sub?(&
|
||
(objectclass=inetorgperson)(title=manager))? x-chain
|
||
|
||
2. This value lets the user specify the membership criteria for a
|
||
dynamic group entry as "all entries on the local server, that
|
||
either have unix accounts or belong to the unix department, and
|
||
are under the engineering container ".
|
||
|
||
memberQueryURL: ldap:///ou=eng,o=myorg??sub?
|
||
(|(objectclass=posixaccount)(department=unix))
|
||
|
||
3. These values let the user specify the membership criteria as "all
|
||
inetorgperson entries on the local server, in either the
|
||
ou=eng,o=myorg or ou=support,o=myorg" subtrees.
|
||
|
||
memberQueryURL:
|
||
ldap:///ou=eng,o=myorg??sub?(objectclass=inetorgperson)
|
||
|
||
memberQueryURL:
|
||
ldap:///ou=support,o=myorg??sub?(objectclass=inetorgperson)
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 22]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Appendix B. Acknowledgments
|
||
|
||
Funding for the RFC Editor function is currently provided by the
|
||
Internet Society.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 23]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Authors' Addresses
|
||
|
||
Haripriya S
|
||
Novell, Inc.
|
||
49/1 & 49/3 Garvebhavi Palya,
|
||
7th Mile, Hosur Road
|
||
Bangalore, Karnataka 560068
|
||
India
|
||
|
||
Email: sharipriya@novell.com
|
||
|
||
|
||
Jaimon Jose (editor)
|
||
Novell, Inc.
|
||
49/1 & 49/3 Garvebhavi Palya,
|
||
7th Mile, Hosur Road
|
||
Bangalore, Karnataka 560068
|
||
India
|
||
|
||
Email: jjaimon@novell.com
|
||
|
||
|
||
Jim Sermersheim
|
||
Novell, Inc.
|
||
1800 South Novell Place
|
||
Provo, Utah 84606
|
||
US
|
||
|
||
Email: jimse@novell.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 24]
|
||
|
||
Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
|
||
|
||
|
||
Full Copyright Statement
|
||
|
||
Copyright (C) The Internet Society (2007).
|
||
|
||
This document is subject to the rights, licenses and restrictions
|
||
contained in BCP 78, and except as set forth therein, the authors
|
||
retain all their rights.
|
||
|
||
This document and the information contained herein are provided on an
|
||
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
|
||
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
|
||
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
|
||
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
|
||
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
|
||
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
||
|
||
Intellectual Property
|
||
|
||
The IETF takes no position regarding the validity or scope of any
|
||
Intellectual Property Rights or other rights that might be claimed to
|
||
pertain to the implementation or use of the technology described in
|
||
this document or the extent to which any license under such rights
|
||
might or might not be available; nor does it represent that it has
|
||
made any independent effort to identify any such rights. Information
|
||
on the procedures with respect to rights in RFC documents can be
|
||
found in BCP 78 and BCP 79.
|
||
|
||
Copies of IPR disclosures made to the IETF Secretariat and any
|
||
assurances of licenses to be made available, or the result of an
|
||
attempt made to obtain a general license or permission for the use of
|
||
such proprietary rights by implementers or users of this
|
||
specification can be obtained from the IETF on-line IPR repository at
|
||
http://www.ietf.org/ipr.
|
||
|
||
The IETF invites any interested party to bring to its attention any
|
||
copyrights, patents or patent applications, or other proprietary
|
||
rights that may cover technology that may be required to implement
|
||
this standard. Please address the information to the IETF at
|
||
ietf-ipr@ietf.org.
|
||
|
||
|
||
Acknowledgment
|
||
|
||
Funding for the RFC Editor function is provided by the IETF
|
||
Administrative Support Activity (IASA).
|
||
|
||
|
||
|
||
|
||
|
||
Haripriya, et al. Expires July 9, 2007 [Page 25]
|
||
|