[Date Prev][Date Next] [Chronological] [Thread] [Top]

TransportSecurity/AuthenticationMech based ACLs (was: OpenLDAP enhancements)



At 04:45 PM 8/9/99 -0500, Ben Collins wrote:
>Actually you can already do this in the -devel branch I believe by using
>the url based acls and setting it so it's only accesible via the secure
>url (the ssl port).
>
>Not sure how this will work when SASL support is complete (setting acls
>based on the SASL method chosen?).

I don't think it makes much sense to grant access upon the
authentication mechanism used.  However, it does make sense
to grant access to items (and authentication methods) based
upon level transport security.

For example, you may require secure authentication mechanism
on a open transport and allow plaintext passwords when a secure
transport is in use.

The best way I've come up with so far is to support something
like:

access attr=userPassword
  by anonymous trans=weak auth  # grant anonymous auth access
  by anonymous secureauth       # grant anonymous access to
                                # strong authenication mechanisms
  by trans=strong selfwrite     # selfwrite if transport provides
                                # "strong" security
  by * none

access attr=entry
  by anonymous trans=weak auth  # grant anonymous auth access when any
                                # transport security is provided.
  by anonymous secureauth       # grant anonymous access to
                                # strong authenication mechanisms
  by trans=strong selfwrite     # selfwrite if transport provides
                                # "strong" security
  by * read

access *
  by trans=weak read            # read only if transport is weak.
  by selfwrite
  by * none

The problem, of course, is what is the definition of "secure" within
the contexts above.  We need to use some simple categorization of
transport and authentication security levels.  I'd prefer to
"borrow" a preexisting categoratization than to invent our own.
Any suggestions?

One thing I don't like with the above is that authenication method
you are granting access to should really be part of what clause.
However, I have found a decent grammer for describing it as such.