Fwd: KerberosId/UserID/access-id

[Ellen Stokes <stokes@austin.ibm.com>]

> Date: Wed, 12 Apr 2000 23:07:21 -0500
> To: ietf-ldapext-adm@openldap.org
> From: Ellen Stokes <stokes@austin.ibm.com>
> Subject: Fwd: KerberosId/UserID/access-id
> Cc: stokes@austin.ibm.com, djbyrne@us.ibm.com, gblakley@tivoli.com, 
> grunt@nortelnetworks.com, jimse@novell.com, roger_harrison@novell.com, 
> kurt@openldap.org, sganguly@novell.com, rbyrne@france.sun.com, 
> usriniva@us.oracle.com, dsward@novell.com, albert.langer@neither.org, 
> leifj@it.su.se, keith.richardson@peerlogic.com, 
> helmut.volpers@icn.siemens.de, sanjay.jain@software.com, 
> hsastry@us.oracle.com, sshrivas@us.oracle.com, paulle@microsoft.com, 
> m.wahl@innosoft.com, kyungae_lim@iris.com
>
> Here's Kurt's proposal on aligning KerberosID in access control model spec
> with the authmeth spec.
>
> So have at it for discussion on the mailing list - this will be an agenda item
> for the April 18 conference call.
>
> By the way, I'm sending this to the new mailing list AND cc: to the temp 
> mailing list.
> So please subscribe to the mailing list (per one of Kurt's previous notes 
> to you this
> week) if you haven't already done so.
>
> thanks.
> Ellen
>
>
> > X-Sender: guru@infidel.boolean.net
> > X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
> > Date: Wed, 29 Mar 2000 21:29:18 +0900
> > To: stokes@austin.ibm.com
> > From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
> > Subject: KerberosId/UserID/access-id (two)
> > Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
> >
> > Fixed Typos...
> >
> > Requirement as discussed:
> > The LDAP ACI model must be capable of supporting all authorization
> > identify forms prescribed by the the protocol (and detailed by
> > the "Authentication Methods for LDAP" (authmeth) draft).  This
> > draft has been approved for publication as a Proposed Standard.
> >
> > New Issue:
> > AuthMeth draft allows for addition of authorization forms and
> > these need to be supported by ACIs.  It should not be necessary
> > to update both the AuthMeth spec and the ACI spec to add authorization
> > forms to LDAP.  Such additions should only require extension as
> > described by authmeth.
> >
> > Solution:
> >
> > Rework the LDAPaci BNF such that the access-id is an AuthMethod
> > AuthzId.
> >
> > For example:
> >
> > ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> >                          #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
> > ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> >                          #access-id#u:jsmith@REALM
> >
> > Then, if and when AuthMeth is extended to support some new
> > form "guid:", the following would be allowed withOUT requiring
> > a separate update of the ldapACI specification.
> >
> > ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> >                          #access-id#guid:0xbad1D
> >
> >
> > I would also suggest "access-id" be changed to "authzID".
> >
> > If you would like to discuss this issue, I should be available
> > tomorrow afternoon (prior to LDUP session).
> >
> >         Kurt