[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Discrepancies Between the ASN.1 and ABNF for the ACI Syntax
LDAPEXTers,
The ASN.1 for the ACI syntax given in draft-ietf-ldapext-acl-model-08.txt
corresponds to an earlier iteration of the ABNF actually published.
Consequently, there are apparent semantic discrepancies between the ABNF
and ASN.1 definitions. The version of the ASN.1 that is intended to conform
to the ABNF published in draft-ietf-ldapext-acl-model-08.txt is as follows.
Regards,
Steven
LDAP-Access-Control-Model
DEFINITIONS EXTENSIBILITY IMPLIED ::=
BEGIN
IMPORTS
AttributeType, DistinguishedName, CONTEXT
FROM InformationFramework; -- from [X501]
ACI ::= SEQUENCE {
rights SEQUENCE {
grant Permissions OPTIONAL,
deny [1] Permissions OPTIONAL }
(WITH COMPONENTS { ..., grant PRESENT } |
WITH COMPONENTS { ..., deny PRESENT }),
-- at least one of grant or deny must be present --
attr CHOICE {
all NULL,
entry [1] NULL,
attributes SET (1..MAX) OF AttributeTypeAndOptions },
subject GeneralSubject
}
-- An X.500 representation for an LDAP Attribute Description --
AttributeTypeAndOptions ::= SEQUENCE {
type AttributeType,
type-name UTF8String OPTIONAL,
-- A hint of what LDAP textual name to use when encoding an
-- AttributeTypeAndOptions as an <AttributeDescription>.
options SEQUENCE SIZE (1..MAX) OF CONTEXT.&Assertion OPTIONAL
-- A future revision will constrain CONTEXT.&Assertion to be
-- the context assertion syntax of the CONTEXT information
-- object defined by the X.500 working group to represent
-- LDAP attribute options in the X.500 protocols.
-- This is likely to be the UTF8String type.
}
GeneralSubject ::= SEQUENCE {
context AuthnLevel,
pureSubject PureSubject
}
AuthnLevel ::= ENUMERATED {
none (0),
weak (1),
limited (2),
strong (3)
}
PureSubject ::= CHOICE {
anySubject NULL,
machineSubject [1] MachineSubject,
idBasedSubject [2] IDBasedSubject
-- may be expanded per [AuthMeth] --
}
MachineSubject ::= CHOICE {
ipAddress SET OF IPAddressRange,
dns [1] SET OF PartialDomainName
}
IPAddressRange ::= CHOICE {
single IPAddress,
range SEQUENCE {
lowerBound IPAddress,
upperBound IPAddress
}
}
IPAddress ::= UTF8String
-- The character contents of an IPAddress string are encoded
-- according to the <ipAddress> rule in Section 4.1.1.
PartialDomainName ::= UTF8String
-- The character contents of a PartialDomainName string are encoded
-- according to the <partialdomainname> rule in Section 4.1.1.
IDBasedSubject ::= CHOICE {
thisSubject NULL,
oneSubject [1] OneSubject,
setOfSubjects [2] SetOfSubjects
}
OneSubject ::= CHOICE {
dn DistinguishedName,
user UTF8String
}
SetOfSubjects ::= CHOICE {
role DistinguishedName,
group [1] DistinguishedName,
subtree [2] DistinguishedName
}
Permissions ::= BIT STRING {
add (0),
delete (1),
export (2),
import (3),
renameDN (4),
browseDN (5),
viewEntry (6),
returnDN (7),
read (8),
search (9),
searchPresence (10),
write (11),
obliterate (12),
compare (13),
make (14),
unveil (15),
getEffectiveRights (16) }
(CONSTRAINED BY { -- at least one bit must be set -- })
-- permissions read, write, obliterate, search,
-- searchPresence, compare, make work on attributes
-- permissions add, delete, export, import, renameDN,
-- browseDN, viewEntry, returnDN, unveil,
-- getEffectiveRights work on entries
END