[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Access Control for LDAP

To: "'Ed Reed'" <eer@OnCallDBA.COM>
Subject: RE: Basic Access Control for LDAP
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Mon, 4 Mar 2002 11:29:01 +1100
Cc: <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Importance: Normal
In-reply-to: <sc7f36e4.002@smtp.oncalldba.com>

Ed,

Ed Reed wrote:
> Thanks for that clarification, Steven - that's different from 
> some directories
> I know that force ACI subjects to be of one of a few classes known to 
> represent security principals.

Basic Access Control was defined to have the property that all access
control decisions can be made using only the information held locally
by the server making the decision. If BAC insisted that user's entries
belong to specific classes then, in a distributed directory service,
chained operations are potentially required while making access control
decisions.

BAC does allow implementations to impose additional local constraints
(such as a requirement that user entries belong to specific classes),
but these constraints have no standard representation so they won't
necessarily be enforced by a replication partner.

Regards,
Steven
 
> Ed
> 
> >>> "Steven Legg" <steven.legg@adacel.com.au> 02/28/02 09:36PM >>>
> 
> Ed,
> 
> Ed Reed wrote:
> > Actually, my question is a bit more basic - 
> > 
> > Does allUsers include entries of any and all object classes, or only
> > object classes derived from "person", or only "person"s with, say,
> > a password attribute present, or some other definition?
> 
> As far as Basic Access Control is concerned, an identified user
> (i.e. a requestor) is just a distinguished name. The distinguished
> name doesn't even have to refer to a real entry, so the object class
> of the user's entry, if such an entry exists, is completely 
> irrelevant.
> 
> The allUsers case includes not only any identified user, but also
> completely anonymous requestors for which no associated distinguished
> name was able to be established at bind time.
> 
> Regards,
> Steven
> 
> > 
> > Ed
> > 
> > =================
> > Ed Reed
> > Reed-Matthews, Inc.
> > +1 585 624 2402
> > http://www.Reed-Matthews.COM 
> > Note:  Area code is 585
> > 
> > >>> "Steven Legg" <steven.legg@adacel.com.au> 02/28/02 01:16AM >>>
> > 
> > Ed,
> > 
> > Ed Reed wrote:
> > > One question from reading the drafts (for now) -
> > > 
> > > What constitutes a "user" for the purpose of ACI UserClasses 
> > > value allUsers?
> > 
> > In the first instance it is anyone/anything who manages to bind in,
> > regardless of their authorization identity, but it is qualified by
> > the AuthenticationLevel and whether a permission is being granted
> > or denied.
> > 
> > For a permission being granted:
> > 
> > 1) If the AuthenticationLevel is "none" then allUsers 
> > includes everyone,
> > regardless of authorization identity, anonymous included.
> > 
> > 2) If the AuthenticationLevel is "simple" then allUsers includes all
> > users who have authenticated with at least a user name and password.
> > Anonymous users and users who have not been authenticated are 
> > excluded.
> > 
> > 3) If the AuthenticationLevel is "strong" then allUsers includes all
> > users who have authenticated with strong credentials, e.g digital
> > signatures. Anonymous users, unauthenticated users and password
> > authenticated users are excluded.
> > 
> > For a permission being denied, allUsers includes everyone,
> > regardless of authorization identity and authentication level.
> > 
> > Regards,
> > Steven
> > 
> > 
> > 
> 
> 
>

Prev by Date: Pay nothing for your conference calls!
Next by Date: FYI: This is great!
Index(es):
- Chronological
- Thread