[Date Prev][Date Next] [Chronological] [Thread] [Top]

Fwd: KerberosId/UserID/access-id




Date: Wed, 12 Apr 2000 23:07:21 -0500
To: ietf-ldapext-adm@openldap.org
From: Ellen Stokes <stokes@austin.ibm.com>
Subject: Fwd: KerberosId/UserID/access-id
Cc: stokes@austin.ibm.com, djbyrne@us.ibm.com, gblakley@tivoli.com, grunt@nortelnetworks.com, jimse@novell.com, roger_harrison@novell.com, kurt@openldap.org, sganguly@novell.com, rbyrne@france.sun.com, usriniva@us.oracle.com, dsward@novell.com, albert.langer@neither.org, leifj@it.su.se, keith.richardson@peerlogic.com, helmut.volpers@icn.siemens.de, sanjay.jain@software.com, hsastry@us.oracle.com, sshrivas@us.oracle.com, paulle@microsoft.com, m.wahl@innosoft.com, kyungae_lim@iris.com


Here's Kurt's proposal on aligning KerberosID in access control model spec
with the authmeth spec.

So have at it for discussion on the mailing list - this will be an agenda item
for the April 18 conference call.

By the way, I'm sending this to the new mailing list AND cc: to the temp mailing list.
So please subscribe to the mailing list (per one of Kurt's previous notes to you this
week) if you haven't already done so.


thanks.
Ellen


X-Sender: guru@infidel.boolean.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 29 Mar 2000 21:29:18 +0900
To: stokes@austin.ibm.com
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: KerberosId/UserID/access-id (two)
Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>

Fixed Typos...

Requirement as discussed:
The LDAP ACI model must be capable of supporting all authorization
identify forms prescribed by the the protocol (and detailed by
the "Authentication Methods for LDAP" (authmeth) draft).  This
draft has been approved for publication as a Proposed Standard.

New Issue:
AuthMeth draft allows for addition of authorization forms and
these need to be supported by ACIs.  It should not be necessary
to update both the AuthMeth spec and the ACI spec to add authorization
forms to LDAP.  Such additions should only require extension as
described by authmeth.

Solution:

Rework the LDAPaci BNF such that the access-id is an AuthMethod
AuthzId.

For example:

ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#u:jsmith@REALM

Then, if and when AuthMeth is extended to support some new
form "guid:", the following would be allowed withOUT requiring
a separate update of the ldapACI specification.

ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#guid:0xbad1D


I would also suggest "access-id" be changed to "authzID".

If you would like to discuss this issue, I should be available
tomorrow afternoon (prior to LDUP session).

        Kurt