[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
BNF with Auth Meth subject
I won't be here for the next conference call.
Here's the new BNF that includes the authmeth identity.
1. ACI Syntax definition
( <OID TBD> DESC 'ACI' )
1.1 ACI String Representation
Values of this syntax are encoded according to the following BNF which
follows the BNF encoding conventions described in [RFC2234]:
aci = scope "#" rights "#" attr "#" subject
scope = "entry" / "subtree"
rights = (("grant:" / "deny:") permissions) /
("grant:" permissions ";deny:" permissions)
permissions = [permission *("," permission)]
permission = "a" / ; add
"d" / ; delete
"r" / ; read
"s" / ; search
"w" / ; write (mod-add)
"o" / ; obliterate (mod-del)
"c" / ; compare
"e" / ; edit DN
"b" ; browse DN
attr = "[all]" / "[entry]" / (attribute *("," attribute))
attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38) from [RFC2252]
subject = ("authzID-" authzID) /
("role:" dn) /
("group:" dn) /
("subtree:" dn) /
("ipAddress:" ipAddress) /
"public:" /
"this:"
authzID = ; authzID from [AuthMeth] repeated below for convenience
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
ipAddress = printableString ; dotted decimal form (e.g. 10.0.0.6)
printableString ; printableString syntax
; (1.3.6.1.4.1.1466.115.121.1.44) from [RFC2252]
Note that the colon following the "public" and "this" subject options
exist only to simplify string parsing.
Note also that per [AuthMeth], authzID may be expanded in the future
1.2 ACI Binary Representation
The following ASN.1 data type is used to represent this syntax when
transferred in binary form:
Aci ::= SEQUENCE {
scope ENUMERATED {
entry (0),
subtree (1) },
rights SEQUENCE OF CHOICE {
grant [0] Permissions,
deny [1] Permissions },
attr CHOICE {
all [0] NULL,
entry [1] NULL,
attributes [2] SEQUENCE OF Attribute },
subject CHOICE {
dn [0] DN,
user [1] utf8String
role [1] DN,
group [2] DN,
subtree [3] DN,
ipAddress [4] IPAddress,
public [6] NULL,
this [7] NULL }, } -- may be expanded per [AuthMeth]
Permissions ::= SEQUENCE OF ENUMERATED {
add (0),
delete (1),
read (2),
search (3),
write (4),
compare (5),
editDN (6),
browseDN (7) }
Attribute ::= AttributeType -- from [RFC2251]
IPAddress ::= PrintableString -- (e.g. 10.0.0.6)