[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authlevel in LDAP ACI



Here's a sketchy BNF for incorporating authentication strength
and mechanism per today's discussion.

< ldapACI > ::= < acl entry syntax >

< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
                             + < rights >  + '#' + < dnType >
                             + < authLevel > + '#' + < subjectDn >

< authLevel > ::= "none" | "simple" | <strong>

< strong > ::= "strong" | < SASLauth >

< SASLauth > ::= "SASL" + ':' + < SASLmech >

< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | "KERBEROS-ID" |< printableString >

Assumption here is that anything other than none or simple is strong and strong can
be specified as strong (any other mechanism) or an explicit mechanism.


Thoughts?

Ellen


At 02:01 PM 4/17/00 +0200, you wrote:


LDAP ACI extension for Authentication Level.
================================

Instead of introducing a 'authenticated' pseudo-user we should have a
field AUTH-LEVEL in an LDAP-ACI which can have several values,
at least the number of the different authentication mechanisms.
The values are NONE, SIMPLE, EXTERNAL and can be extended if
necessary.

Proposal:

In order to be able to have distinct grants & denials for the
same subject depending on subject's authenticationLevel it is proposed to
add an authLevel field to the ldapACI definition:

< ldapACI > ::= < acl entry syntax >

< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
                             + < rights >  + '#' + < dnType >
                             + < authLevel > + '#' + < subjectDn >

< authLevel > ::= "none" | "simple" | < SASLauth >

< SASLauth > ::= "SASL" + ':' + < SASLmech >

< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | < printableString >


The authlevel is intended to be used in the Access Control Decision as a further qualifier to the subjectDN, e.g :

1) simple#cn=jsmith,ou=ABC,o=CDE,c=US
        refers to the entry cn=jsmith,ou=ABC,o=CDE,c=US if the entry used
DN and password in a simple bind
2) SASL:EXTERNAL#cn=jsmith,ou=ABC,o=CDE,c=US
      refers to the entry cn=jsmith,ou=ABC,o=CDE,c=US if the entry used
SSL client authentication in SASL bind ( and the authenticated
identity is mapped on the DN cn=jsmith,ou=ABC,o=CDE,c=US )

If we do something like this, it has an impact on the chapters 8, 9, and 10
of the Access Control Model in the sense that not only a DN must be checked
but
also the AUTH_LEVEL.

Helmut