[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subjects in LDAP ACMs
Kurt,
Conceptually it's certainly helpful to seperate the authzid type
subjects from factors like authnLevel, ipaddress/dns name etc. However,
in so far as a factor is typically an extra refinement on authzID's (eg.
grant the access if it's cn=rob,o=sun.com AND he's authenticated using
SASL-DIGEST-MD5) I think factors are still very "subjecty" things. Is
the trend of your thought to move factors into a say "factor" keyword
and then require that the subject AND factor keywords are satisfied ?
What do you mean by "authorized" below ?
BTW, do you think it would be interesting to allow boolean combinations
of subjects in the same aci ?
Rob.
"Kurt D. Zeilenga" wrote:
>
> I note that the LDAP ACI syntax only allows a single
> subject per value though it is likely quite desirable
> to treat certain kinds of subjects as orthogonal factors
> in the ACM. For example, it might be useful to say
> "authzId X via Y method gets Z permission".
>
> However, adding additional, independent factors to
> the ACM adds to the complexity of specification so
> we must tread lightly.
>
> My first suggestion would be remove subjects based
> upon orthogonal factors from the ACM, then to discuss
> support for orthogonal factors such as authnLevel.
>
> I suggest Subjects be based solely upon presence, absence,
> or value of the authorization identity. Hence, I suggest
> (provided in suggested precedence order):
>
> subject = this ; self
> subject /= "authzID-" authzID)
> subject /= ("role:" dn)
> subject /= ("group:" dn)
> subject /= ("subtree:" dn)
> subject /= authorized ; authenticated and authorized
> subject /= anonymous ; unauthenticated
> subject /= public ; any user
>
> Kurt