LDAP ACI extension for Authentication Level.
================================
Instead of introducing a 'authenticated' pseudo-user we should have a
field AUTH-LEVEL in an LDAP-ACI which can have several values,
at least the number of the different authentication mechanisms.
The values are NONE, SIMPLE, EXTERNAL and can be extended if
necessary.
Proposal:
In order to be able to have distinct grants & denials for the
same subject depending on subject's authenticationLevel it is proposed to
add an authLevel field to the ldapACI definition:
< ldapACI > ::= < acl entry syntax >
< acl entry syntax > ::= <familyOID> + '#' + <scope > + '#'
+ < rights > + '#' + < dnType >
+ < authLevel > + '#' + < subjectDn >
< authLevel > ::= "none" | "simple" | < SASLauth >
< SASLauth > ::= "SASL" + ':' + < SASLmech >
< SASLmech > ::= "EXTERNAL" | "DIGEST-MD5" | < printableString >
The authlevel is intended to be used in the Access Control Decision as a
further qualifier to the subjectDN, e.g :
1) simple#cn=jsmith,ou=ABC,o=CDE,c=US
refers to the entry cn=jsmith,ou=ABC,o=CDE,c=US if the entry used
DN and password in a simple bind
2) SASL:EXTERNAL#cn=jsmith,ou=ABC,o=CDE,c=US
refers to the entry cn=jsmith,ou=ABC,o=CDE,c=US if the entry used
SSL client authentication in SASL bind ( and the authenticated
identity is mapped on the DN cn=jsmith,ou=ABC,o=CDE,c=US )
If we do something like this, it has an impact on the chapters 8, 9, and 10
of the Access Control Model in the sense that not only a DN must be checked
but
also the AUTH_LEVEL.
Helmut