[Date Prev][Date Next] [Chronological] [Thread] [Top]

BNF with Auth Meth subject

To: <ietf-ldapext-acm@OpenLDAP.org>
Subject: BNF with Auth Meth subject
From: "Jim Sermersheim" <JIMSE@novell.com>
Date: Wed, 26 Apr 2000 11:14:30 -0600

I won't be here for the next conference call.

Here's the new BNF that includes the authmeth identity.

1. ACI Syntax definition

   ( <OID TBD> DESC 'ACI' )


1.1 ACI String Representation

   Values of this syntax are encoded according to the following BNF which 
   follows the BNF encoding conventions described in [RFC2234]:

   aci = scope "#" rights "#" attr "#" subject

   scope = "entry" / "subtree"

   rights = (("grant:" / "deny:") permissions) / 
            ("grant:" permissions ";deny:" permissions)

   permissions = [permission *("," permission)]

   permission = "a" / ; add
                "d" / ; delete
                "r" / ; read
                "s" / ; search
                "w" / ; write (mod-add)
                "o" / ; obliterate (mod-del)
                "c" / ; compare
                "e" / ; edit DN
                "b"   ; browse DN

   attr = "[all]" / "[entry]" / (attribute *("," attribute))
   
   attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38) from [RFC2252]

   subject = ("authzID-" authzID) / 
             ("role:" dn) /
             ("group:" dn) /
             ("subtree:" dn) /
             ("ipAddress:" ipAddress) /
             "public:" /
             "this:"

   authzID = ; authzID from [AuthMeth] repeated below for convenience

   authzId = dnAuthzId / uAuthzId

   ; distinguished-name-based authz id.
   dnAuthzId  = "dn:" dn

   dn         = utf8string ; with syntax defined in RFC 2253

   ; unspecified userid, UTF-8 encoded.
   uAuthzId   = "u:" userid
   userid     = utf8string ; syntax unspecified

   ipAddress = printableString ; dotted decimal form (e.g. 10.0.0.6)

   printableString ; printableString syntax 
                   ; (1.3.6.1.4.1.1466.115.121.1.44) from [RFC2252]

   Note that the colon following the "public" and "this" subject options
   exist only to simplify string parsing.

   Note also that per [AuthMeth], authzID may be expanded in the future
  
1.2 ACI Binary Representation
 
   The following ASN.1 data type is used to represent this syntax when
   transferred in binary form:

   Aci ::= SEQUENCE {
      scope      ENUMERATED {
            entry       (0),
            subtree     (1) },
      rights     SEQUENCE OF CHOICE {
            grant       [0] Permissions,
            deny        [1] Permissions },
      attr       CHOICE {
            all         [0] NULL,
            entry       [1] NULL,
            attributes  [2] SEQUENCE OF Attribute },
      subject    CHOICE {
            dn          [0] DN,
            user	[1] utf8String
            role        [1] DN,
            group       [2] DN,
            subtree     [3] DN,
            ipAddress   [4] IPAddress,
            public      [6] NULL,
            this        [7] NULL }, } -- may be expanded per [AuthMeth]

   Permissions ::= SEQUENCE OF ENUMERATED {
      add        (0),
      delete     (1),
      read       (2),
      search     (3),
      write      (4),
      compare    (5),
      editDN     (6),
      browseDN   (7) }

   Attribute ::= AttributeType -- from [RFC2251]

   IPAddress ::= PrintableString -- (e.g. 10.0.0.6)

Prev by Date: ldap access control model: conference call May 2 plus agenda
Next by Date: Disclose on Error
Index(es):
- Chronological
- Thread