1
2INTERNET-DRAFT S. Legg
3draft-legg-ldap-acm-bac-03.txt Adacel Technologies
4Intended Category: Standards Track June 16, 2004
5Updates: RFC 2252
6
7
8 Lightweight Directory Access Protocol (LDAP):
9 Basic and Simplified Access Control
10
11 Copyright (C) The Internet Society (2004). All Rights Reserved.
12
13 Status of this Memo
14
15
16 This document is an Internet-Draft and is in full conformance with
17 all provisions of Section 10 of RFC2026.
18
19 Internet-Drafts are working documents of the Internet Engineering
20 Task Force (IETF), its areas, and its working groups. Note that
21 other groups may also distribute working documents as
22 Internet-Drafts.
23
24 Internet-Drafts are draft documents valid for a maximum of six months
25 and may be updated, replaced, or obsoleted by other documents at any
26 time. It is inappropriate to use Internet-Drafts as reference
27 material or to cite them other than as "work in progress".
28
29 The list of current Internet-Drafts can be accessed at
30 http://www.ietf.org/ietf/1id-abstracts.txt
31
32 The list of Internet-Draft Shadow Directories can be accessed at
33 http://www.ietf.org/shadow.html.
34
35 Distribution of this document is unlimited. Comments should be sent
36 to the author.
37
38 This Internet-Draft expires on 16 December 2004.
39
40
41Abstract
42
43 An access control scheme describes the means by which access to
44 directory information and potentially to access rights themselves may
45 be controlled. This document adapts the X.500 directory Basic Access
46 Control and Simplied Access Control schemes for use by the
47 Lightweight Directory Access Protocol.
48
49
50
51
52
53Legg Expires 16 December 2004 [Page 1]
54�
55INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
56
57
58Table of Contents
59
60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
61 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 3
62 3. Basic Access Control . . . . . . . . . . . . . . . . . . . . . 4
63 3.1. Permissions. . . . . . . . . . . . . . . . . . . . . . . 5
64 3.1.1. Read . . . . . . . . . . . . . . . . . . . . . . 5
65 3.1.2. Compare. . . . . . . . . . . . . . . . . . . . . 6
66 3.1.3. Browse . . . . . . . . . . . . . . . . . . . . . 6
67 3.1.4. ReturnDN . . . . . . . . . . . . . . . . . . . . 6
68 3.1.5. FilterMatch. . . . . . . . . . . . . . . . . . . 6
69 3.1.6. Modify . . . . . . . . . . . . . . . . . . . . . 6
70 3.1.7. Add. . . . . . . . . . . . . . . . . . . . . . . 6
71 3.1.8. Remove . . . . . . . . . . . . . . . . . . . . . 7
72 3.1.9. DiscloseOnError. . . . . . . . . . . . . . . . . 7
73 3.1.10. Rename . . . . . . . . . . . . . . . . . . . . . 7
74 3.1.11. Export . . . . . . . . . . . . . . . . . . . . . 7
75 3.1.12. Import . . . . . . . . . . . . . . . . . . . . . 8
76 3.1.13. Invoke . . . . . . . . . . . . . . . . . . . . . 8
77 3.2. Representation of Access Control Information . . . . . . 8
78 3.2.1. Identification Tag . . . . . . . . . . . . . . . 11
79 3.2.2. Precedence . . . . . . . . . . . . . . . . . . . 11
80 3.2.3. Authentication Level . . . . . . . . . . . . . . 11
81 3.2.4. itemFirst and userFirst Components . . . . . . . 12
82 3.2.5. Determining Group Membership . . . . . . . . . . 16
83 3.3. ACI Operational Attributes . . . . . . . . . . . . . . . 17
84 3.3.1. Prescriptive ACI . . . . . . . . . . . . . . . . 17
85 3.3.2. Entry ACI. . . . . . . . . . . . . . . . . . . . 17
86 3.3.3. Subentry ACI . . . . . . . . . . . . . . . . . . 18
87 3.3.4. Protecting the ACI . . . . . . . . . . . . . . . 18
88 3.4. Access Control Decision Points for LDAP Operations . . . 18
89 3.4.1. Common Elements of Procedure . . . . . . . . . . 19
90 3.4.1.1. Alias Dereferencing. . . . . . . . . . 19
91 3.4.1.2. Return of Names in Errors. . . . . . . 19
92 3.4.1.3. Non-disclosure of Entry Existence. . . 20
93 3.4.2. Compare Operation Decision Points. . . . . . . . 20
94 3.4.3. Search Operation Decision Points . . . . . . . . 20
95 3.4.4. Add Operation Decision Points. . . . . . . . . . 23
96 3.4.5. Delete Operation Decision Points . . . . . . . . 24
97 3.4.6. Modify Operation Decision Points . . . . . . . . 24
98 3.4.7. Modify DN Operation Decision Points. . . . . . . 25
99 3.5. Access Control Decision Function . . . . . . . . . . . . 26
100 3.5.1. Inputs . . . . . . . . . . . . . . . . . . . . . 26
101 3.5.2. Tuples . . . . . . . . . . . . . . . . . . . . . 26
102 3.5.3. Discarding Irrelevant Tuples . . . . . . . . . . 27
103 3.5.4. Highest Precedence and Specificity . . . . . . . 28
104 4. Simplified Access Control. . . . . . . . . . . . . . . . . . . 28
105 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 29
106
107
108
109Legg Expires 16 December 2004 [Page 2]
110�
111INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
112
113
114 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29
115 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 29
116 Appendix A. LDAP Specific Encoding for the ACI Item Syntax . . . . 30
117 Normative References . . . . . . . . . . . . . . . . . . . . . . . 39
118 Informative References . . . . . . . . . . . . . . . . . . . . . . 40
119 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40
120 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 40
121
1221. Introduction
123
124 An access control scheme describes the means by which access to
125 directory information and potentially to access rights themselves may
126 be controlled. Control of access to information means the prevention
127 of unauthorized detection, disclosure, or modification of that
128 information. The definition of an access control scheme in the
129 context of a Lightweight Directory Access Protocol (LDAP) [RFC3371]
130 directory includes methods to specify Access Control Information
131 (ACI), and to enforce access rights defined by that ACI.
132
133 This document adapts the X.500 Basic Access Control and Simplied
134 Access Control schemes [X501] for use in LDAP. Both schemes conform
135 to, and make use of, the access control administrative framework for
136 LDAP [ACA].
137
138 Section 3 describes the Basic Access Control scheme and defines how
139 it applies to LDAP operations [RFC2251].
140
141 Simplified Access Control is a functional subset of the Basic Access
142 Control scheme. This subset is described in Section 4.
143
144 As a matter of security policy, an implementation supporting Basic
145 Access Control or Simplified Access Control is permitted to grant or
146 deny any form of access to particular attributes (e.g., password
147 attributes) irrespective of access controls which may otherwise
148 apply. However, since such security policy has no standardized
149 representation, it cannot be propagated in replicated information.
150
151 This document is derived from, and duplicates substantial portions
152 of, Section 8 of X.501 [X501], and selected extracts from X.511
153 [X511].
154
1552. Conventions
156
157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
159 document are to be interpreted as described in BCP 14, RFC 2119
160 [RFC2119].
161
162
163
164
165Legg Expires 16 December 2004 [Page 3]
166�
167INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
168
169
170 Schema definitions are provided using LDAP description formats
171 [RFC2252]. Note that the LDAP descriptions have been rendered with
172 additional white-space and line breaks for the sake of readability.
173
1743. Basic Access Control
175
176 This section describes the functionality of the Basic Access Control
177 scheme.
178
179 When Basic Access Control is used, the accessControlScheme
180 operational attribute [ACA] SHALL have the value basic-access-control
181 (2.5.28.1).
182
183 This LDAP profile for Basic Access Control defines, for every LDAP
184 operation, one or more points at which access control decisions take
185 place. An access control decision will involve a requestor,
186 protected items, and permissions.
187
188 A requestor is the user requesting the operation. Basic Access
189 Control requires a user's authorization identity to be represented as
190 a distinguished name (with an optional unique identifier). The
191 mapping of the authentication identity to an authorization identity,
192 and the mapping of the authorization identity to a distinguished name
193 and optional unique identifier, are outside the scope of this
194 document.
195
196 A protected item is the element of directory information being
197 accessed. The protected items are entries, attributes, attribute
198 values and distinguished names. Access to each protected item can be
199 separately controlled through ACI.
200
201 A permission is a particular right necessary to complete a portion of
202 the operation.
203
204 The Access Control Information, which is used to make access control
205 decisions, associates protected items and user classes with
206 permissions. ACI is represented in the directory as values of
207 operational attributes with the ACI Item syntax [RFC2252]. Each such
208 value is referred to as an ACI item.
209
210 The scope of access controls can be a single entry or a collection of
211 entries that are logically related by being within the scope of an
212 access control subentry of an administrative point (see [ACA]).
213
214 The Access Control Decision Function (ACDF) (Section 3.5) is used to
215 decide whether a particular requestor has a particular access right
216 by virtue of applicable ACI items.
217
218
219
220
221Legg Expires 16 December 2004 [Page 4]
222�
223INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
224
225
226 Access to DSEs and operational attributes is controlled in the same
227 way as for entries and user attributes.
228
229 For query purposes, collective attributes [COLLECT] that are
230 associated with an entry are protected precisely as if they were
231 attributes actually stored in that entry.
232
233 For the purposes of modification, collective attributes are
234 associated with the subentry that holds them, not with entries within
235 the scope of the subentry. Modify-related access controls are
236 therefore not relevant to collective attributes, except when they
237 apply to the collective attribute and its values within the subentry.
238
2393.1. Permissions
240
241 Access is controlled by granting or denying permissions. Access is
242 allowed only when there is an explicitly provided grant present in
243 the ACI used to make the access control decision. The only default
244 access decision provided in the model is to deny access in the
245 absence of explicit ACI that grants access. All other factors being
246 equal, a denial specified in ACI always overrides a grant.
247
248 Certain combinations of grants or denials are illogical, but it is
249 the responsibility of directory clients, rather than the directory
250 server, to ensure that such combinations are absent.
251
252 The decision whether or not to permit access to an entry or its
253 contents is strictly determined by the position of the entry in the
254 Directory Information Tree (DIT), in terms of its distinguished name,
255 and is independent of how the directory server locates that entry.
256
257 The following sections introduce the permissions by indicating the
258 intent associated with the granting of each. The actual influence of
259 a particular granted permission on access control decisions are,
260 however, determined by the ACDF and the access control decision
261 points for each LDAP operation, described in detail in Section 3.4.
262
2633.1.1. Read
264
265 If granted for an entry, Read permits the entry to be accessed using
266 LDAP Compare and baseObject Search operations, but does not imply
267 access to all the attributes and values.
268
269 If granted for an attribute type, Read permits the attribute type to
270 be returned as entry information in a Search result. Read or Browse
271 permission for the entry is a prerequisite.
272
273 If granted for an attribute value, Read permits the attribute value
274
275
276
277Legg Expires 16 December 2004 [Page 5]
278�
279INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
280
281
282 to be returned as entry information in a Search result. Read or
283 Browse permission for the entry and Read permission for the attribute
284 type are prerequisites.
285
2863.1.2. Compare
287
288 If granted for an attribute type, Compare permits the attribute type
289 to be tested by the assertion in an LDAP Compare operation. Read
290 permission for the entry is a prerequisite.
291
292 If granted for an attribute value, Compare permits the value to be
293 tested by the assertion in an LDAP Compare operation. Read
294 permission for the entry and Compare permission for the attribute
295 type are prerequisites.
296
2973.1.3. Browse
298
299 If granted for an entry, Browse permits the entry to be accessed by
300 the LDAP Search operation, including baseObject searches, but does
301 not imply access to all the attributes and values.
302
3033.1.4. ReturnDN
304
305 If granted for an entry, ReturnDN allows the distinguished name of
306 the entry to be disclosed in a search result.
307
3083.1.5. FilterMatch
309
310 If granted for an attribute type, Filtermatch permits the attribute
311 type to satisfy a Filter item.
312
313 If granted for an attribute value, Filtermatch permits the attribute
314 value to satisfy a Filter item. FilterMatch permission for the
315 attribute type is a prerequisite.
316
3173.1.6. Modify
318
319 If granted for an entry, Modify permits the information contained
320 within an entry to be modified by the LDAP Modify operation, subject
321 to controls on the attribute types and values.
322
3233.1.7. Add
324
325 If granted for an entry, Add permits creation of an entry in the DIT,
326 subject to being able to add all specified attributes and attribute
327 values. Add permission granted for an entry is ineffective if Add
328 permission is not also granted for at least the mandatory attributes
329 and their values. There is no specific "add subordinate permission".
330
331
332
333Legg Expires 16 December 2004 [Page 6]
334�
335INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
336
337
338 Permission to add an entry is controlled using prescriptive ACI.
339
340 If granted for an attribute type, Add permits adding a new attribute,
341 subject to being able to add all specified attribute values. Add or
342 Modify permission for the entry is a prerequisite.
343
344 If granted for an attribute value, Add permits adding that value to
345 an existing attribute. Add or Modify permission for the entry is a
346 prerequisite.
347
3483.1.8. Remove
349
350 If granted for an entry, Remove permits the entry to be removed from
351 the DIT regardless of controls on attributes or attribute values
352 within the entry.
353
354 If granted for an attribute, Remove permits removing an attribute,
355 subject to being able to remove any explicitly specified attribute
356 values. Remove permission for values not explicitly specified is not
357 required.
358
359 If granted for an attribute value, Remove permits the attribute value
360 to be removed from an existing attribute.
361
3623.1.9. DiscloseOnError
363
364 If granted for an entry, DiscloseOnError permits the name of an entry
365 to be disclosed in an error result.
366
367 If granted for an attribute, DiscloseOnError permits the presence of
368 the attribute to be disclosed by an error.
369
370 If granted for an attribute value, DiscloseOnError permits the
371 presence of the attribute value to be disclosed by an error.
372
3733.1.10. Rename
374
375 If granted for an entry, Rename permits an entry to be renamed with a
376 new RDN. No permissions are required for the attributes and values
377 altered by the operation, even if they are added or removed as a
378 result of the changes to the RDN.
379
3803.1.11. Export
381
382 If granted for an entry, Export permits the entry and its
383 subordinates, if any, to be removed from the current location and
384 placed in a new location, subject to the granting of Import
385 permission at the destination.
386
387
388
389Legg Expires 16 December 2004 [Page 7]
390�
391INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
392
393
394 If the last RDN is changed, Rename permission at the current location
395 is also required
396
3973.1.12. Import
398
399 If granted for an entry, Import permits an entry and its
400 subordinates, if any, to be placed at the location to which the
401 permission applies, subject to the granting of Export permission at
402 the source location.
403
4043.1.13. Invoke
405
406 Invoke, if granted for an operational attribute, or value thereof,
407 permits the directory server to carry out some function associated
408 with the operational attribute on behalf of the user. The specific
409 function carried out by invocation depends on the attribute. No
410 other permissions are required by user for the operational attribute,
411 or on the entry/subentry that holds it, in order for it to be
412 "invoked".
413
4143.2. Representation of Access Control Information
415
416 Access Control Information is represented as a set of ACI items,
417 where each ACI item grants or denies permissions in regard to certain
418 specified users and protected items.
419
420 An ACI item is represented as a value of an operational attribute
421 with the ACI Item syntax (1.3.6.1.4.1.1466.115.121.1.1) [RFC2252].
422
423 This document updates [RFC2252] by specifying a human-readable
424 LDAP-specific encoding for ACI items. The LDAP-specific encoding of
425 values of the ACI Item syntax is defined by the Generic String
426 Encoding Rules [GSER]. Appendix A provides an equivalent ABNF for
427 this syntax.
428
429 For convenience in specifying access control policies, the ACI Item
430 syntax provides the means to identify collections of related items,
431 such as attributes in an entry or all attribute values of a given
432 attribute, and to specify a common protection for them.
433
434 The ACI Item syntax corresponds to the ACIItem ASN.1 [ASN1] type
435 defined in X.501 [X501]. It is reproduced here for convenience:
436
437 ACIItem ::= SEQUENCE {
438 identificationTag DirectoryString { ub-tag },
439 precedence Precedence,
440 authenticationLevel AuthenticationLevel,
441 itemOrUserFirst CHOICE {
442
443
444
445Legg Expires 16 December 2004 [Page 8]
446�
447INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
448
449
450 itemFirst [0] SEQUENCE {
451 protectedItems ProtectedItems,
452 itemPermissions SET OF ItemPermission },
453 userFirst [1] SEQUENCE {
454 userClasses UserClasses,
455 userPermissions SET OF UserPermission } } }
456
457 Precedence ::= INTEGER (0..255)
458
459 ProtectedItems ::= SEQUENCE {
460 entry [0] NULL OPTIONAL,
461 allUserAttributeTypes [1] NULL OPTIONAL,
462 attributeType [2] SET SIZE (1..MAX) OF
463 AttributeType OPTIONAL,
464 allAttributeValues [3] SET SIZE (1..MAX) OF
465 AttributeType OPTIONAL,
466 allUserAttributeTypesAndValues [4] NULL OPTIONAL,
467 attributeValue [5] SET SIZE (1..MAX) OF
468 AttributeTypeAndValue OPTIONAL,
469 selfValue [6] SET SIZE (1..MAX) OF
470 AttributeType OPTIONAL,
471 rangeOfValues [7] Filter OPTIONAL,
472 maxValueCount [8] SET SIZE (1..MAX) OF
473 MaxValueCount OPTIONAL,
474 maxImmSub [9] INTEGER OPTIONAL,
475 restrictedBy [10] SET SIZE (1..MAX) OF
476 RestrictedValue OPTIONAL,
477 contexts [11] SET SIZE (1..MAX) OF
478 ContextAssertion OPTIONAL,
479 classes [12] Refinement OPTIONAL }
480
481 MaxValueCount ::= SEQUENCE {
482 type AttributeType,
483 maxCount INTEGER }
484
485 RestrictedValue ::= SEQUENCE {
486 type AttributeType,
487 valuesIn AttributeType }
488
489 UserClasses ::= SEQUENCE {
490 allUsers [0] NULL OPTIONAL,
491 thisEntry [1] NULL OPTIONAL,
492 name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
493 userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
494 -- dn component shall be the name of an
495 -- entry of GroupOfUniqueNames
496 subtree [4] SET SIZE (1..MAX) OF
497 SubtreeSpecification OPTIONAL }
498
499
500
501Legg Expires 16 December 2004 [Page 9]
502�
503INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
504
505
506 NameAndOptionalUID ::= SEQUENCE {
507 dn DistinguishedName,
508 uid UniqueIdentifier OPTIONAL }
509
510 UniqueIdentifier ::= BIT STRING
511
512 ItemPermission ::= SEQUENCE {
513 precedence Precedence OPTIONAL,
514 -- defaults to precedence in ACIItem
515 userClasses UserClasses,
516 grantsAndDenials GrantsAndDenials }
517
518 UserPermission ::= SEQUENCE {
519 precedence Precedence OPTIONAL,
520 -- defaults to precedence in ACIItem
521 protectedItems ProtectedItems,
522 grantsAndDenials GrantsAndDenials }
523
524 AuthenticationLevel ::= CHOICE {
525 basicLevels SEQUENCE {
526 level ENUMERATED { none(0), simple(1), strong(2) },
527 localQualifier INTEGER OPTIONAL,
528 signed BOOLEAN DEFAULT FALSE },
529 other EXTERNAL }
530
531 GrantsAndDenials ::= BIT STRING {
532 -- permissions that may be used in conjunction
533 -- with any component of ProtectedItems
534 grantAdd (0),
535 denyAdd (1),
536 grantDiscloseOnError (2),
537 denyDiscloseOnError (3),
538 grantRead (4),
539 denyRead (5),
540 grantRemove (6),
541 denyRemove (7),
542 -- permissions that may be used only in conjunction
543 -- with the entry component
544 grantBrowse (8),
545 denyBrowse (9),
546 grantExport (10),
547 denyExport (11),
548 grantImport (12),
549 denyImport (13),
550 grantModify (14),
551 denyModify (15),
552 grantRename (16),
553 denyRename (17),
554
555
556
557Legg Expires 16 December 2004 [Page 10]
558�
559INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
560
561
562 grantReturnDN (18),
563 denyReturnDN (19),
564 -- permissions that may be used in conjunction
565 -- with any component, except entry, of ProtectedItems
566 grantCompare (20),
567 denyCompare (21),
568 grantFilterMatch (22),
569 denyFilterMatch (23),
570 grantInvoke (24),
571 denyInvoke (25) }
572
573 AttributeTypeAndValue ::= SEQUENCE {
574 type ATTRIBUTE.&id ({SupportedAttributes}),
575 value ATTRIBUTE.&Type ({SupportedAttributes}{@type}) }
576
577 The SubtreeSpecification and Refinement ASN.1 types are defined in
578 X.501 [X501], and separately described for LDAP [SUBENTRY].
579
580 The following sections describe the components of ACIItem.
581
5823.2.1. Identification Tag
583
584 identificationTag is used to identify a particular ACI item. This is
585 used to discriminate among individual ACI items for the purposes of
586 protection and administration.
587
5883.2.2. Precedence
589
590 Precedence is used to control the relative order in which ACI items
591 are considered during the course of making an access control decision
592 using the ACDF. ACI items having higher precedence values prevail
593 over others with lower precedence values, other factors being equal.
594 Precedence values are integers and are compared as such.
595
5963.2.3. Authentication Level
597
598 AuthenticationLevel defines the minimum requestor authentication
599 level required for this ACI item. It has two forms:
600
601 1) basicLevels: which indicates the level of authentication,
602 optionally qualified by positive or negative integer
603 localQualifier.
604
605 2) other: an externally defined measure.
606
607 When basicLevels is used, an AuthenticationLevel consisting of a
608 level and optional localQualifier SHALL be assigned to the requestor
609 by the directory server according to local policy. For a requestor's
610
611
612
613Legg Expires 16 December 2004 [Page 11]
614�
615INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
616
617
618 authentication level to meet or exceed the minimum requirement, the
619 requestor's level must meet or exceed that specified in the ACI item,
620 and in addition the requestor's localQualifier must be arithmetically
621 greater than or equal to that of the ACI item. Strong authentication
622 of the requestor is considered to exceed a requirement for simple or
623 no authentication, and simple authentication exceeds a requirement
624 for no authentication. For access control purposes, the "simple"
625 authentication level requires at least a password; the case of
626 identification only, with no password supplied, is considered "none".
627 If a localQualifier is not specified in the ACI item, then the
628 requestor need not have a corresponding value (if such a value is
629 present it is ignored).
630
631 The signed component of basicLevels is ignored for LDAP.
632
633 When other is used, an appropriate AuthenticationLevel shall be
634 assigned to the requestor by the directory server according to local
635 policy. The form of this AuthenticationLevel and the method by which
636 it is compared with the AuthenticationLevel in the ACI is a local
637 matter.
638
639 An authentication level associated with an explicit grant indicates
640 the minimum level to which a requestor shall be authenticated in
641 order to be granted access.
642
643 An authentication level associated with an explicit deny indicates
644 the minimum level to which a requestor shall be authenticated in
645 order not to be denied access. For example, an ACI item that denies
646 access to a particular user class and requires strong authentication
647 will deny access to all requestors who cannot prove, by means of a
648 strongly authenticated identity, that they are not in that user
649 class.
650
651 The directory server may base authentication level on factors other
652 than values received in protocol exchanges.
653
6543.2.4. itemFirst and userFirst Components
655
656 Each ACI item contains a choice of itemFirst or userFirst. The
657 choice allows grouping of permissions depending on whether they are
658 most conveniently grouped by user classes or by protected items. The
659 itemFirst and userFirst components are equivalent in the sense that
660 they capture the same access control information; however, they
661 organize that information differently. The choice between them is
662 based on administrative convenience. The subcomponents of itemFirst
663 and userFirst are described below.
664
665 a) ProtectedItems defines the items to which the specified access
666
667
668
669Legg Expires 16 December 2004 [Page 12]
670�
671INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
672
673
674 controls apply. It is defined as a set selected from the
675 following:
676
677 - entry means the entry contents as a whole. It does not
678 necessarily include the information in these entries. This
679 element SHALL be ignored if the classes component is present,
680 since this latter element selects protected entries on the basis
681 of their object class.
682
683 - allUserAttributeTypes means all user attribute type information
684 associated with the entry, but not values associated with those
685 attributes.
686
687 - allUserAttributeTypesAndValues means all user attribute
688 information associated with the entry, including all values of
689 all user attributes.
690
691 The allUserAttributeTypes and allUserAttributeTypesAndValues
692 components do not include operational attributes, which MUST be
693 specified on a per attribute basis, using attributeType,
694 allAttributeValues or attributeValue.
695
696 - attributeType means attribute type information pertaining to
697 specific attributes but not values associated with the type.
698
699 - allAttributeValues means all attribute value information
700 pertaining to specific attributes.
701
702 - attributeValue means specific values of specific attribute
703 types.
704
705 - selfValue means the attribute values of the specified attribute
706 types that match the distinguished name (and unique identifier)
707 of the requestor. It can only apply in the specific case where
708 the attribute specified is of DN syntax
709 (1.3.6.1.4.1.1466.115.121.1.12) or Name And Optional UID syntax
710 (1.3.6.1.4.1.1466.115.121.1.34) [RFC2252].
711
712 - rangeOfValues means any attribute value which matches the
713 specified filter, i.e., for which the specified filter evaluated
714 on that attribute value would return TRUE. The filter is not
715 evaluated on any entries in the DIB, rather it is evaluated
716 using the semantics defined in 7.8 of [X511], operating on a
717 fictitious entry that contains only the single attribute value
718 which is the protected item. Note that the filter is an X.500
719 search Filter. It has a different syntax from the LDAP search
720 Filter, but the same semantics.
721
722
723
724
725Legg Expires 16 December 2004 [Page 13]
726�
727INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
728
729
730 The following items provide constraints that may disable the
731 granting of certain permissions to protected items in the same
732 value of ProtectedItems:
733
734 - maxValueCount restricts the maximum number of attribute values
735 allowed for a specified attribute type. It is examined if the
736 protected item is an attribute value of the specified type and
737 the permission sought is Add. Values of that attribute in the
738 entry are counted, without regard to attribute options and
739 access control, as though the operation which is attempting to
740 add the values is successful. If the number of values in the
741 attribute exceeds maxCount, the ACI item is treated as not
742 granting Add permission.
743
744 - maxImmSub restricts the maximum number of immediate subordinates
745 of the superior entry to an entry being added or imported. It
746 is examined if the protected item is an entry, the permission
747 sought is Add or Import, and the immediate superior entry is in
748 the same server as the entry being added or imported. Immediate
749 subordinates of the superior entry are counted, without regard
750 to access control, as though the entry addition or importing is
751 successful. If the number of subordinates exceeds maxImmSub,
752 the ACI item is treated as not granting Add or Import
753 permission.
754
755 - restrictedBy restricts values added to the attribute type to
756 being values that are already present in the same entry as
757 values of the attribute identified by the valuesIn component.
758 It is examined if the protected item is an attribute value of
759 the specified type and the permission sought is Add. Values of
760 the valuesIn attribute are checked, without regard to attribute
761 options and access control, as though the operation which adds
762 the values is successful. If the value to be added is not
763 present in valuesIn the ACI item is treated as not granting Add
764 permission.
765
766 - contexts is not used in this version of the LDAP profile for
767 Basic Access Control.
768
769 - classes means the contents of entries that have object class
770 values that satisfy the predicate defined by Refinement (see
771 [SUBENTRY]).
772
773 b) UserClasses defines a set of zero or more users the permissions
774 apply to. The set of users is selected from the following:
775
776 - allUsers means every directory user (with possible requirements
777 for AuthenticationLevel).
778
779
780
781Legg Expires 16 December 2004 [Page 14]
782�
783INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
784
785
786 - thisEntry means the user with the same distinguished name as the
787 entry being accessed.
788
789 - name is the set of users with the specified distinguished names
790 (each with an optional unique identifier).
791
792 - userGroup is the set of users who are members of the groups
793 (i.e., groupOfNames or groupOfUniqueNames entries [RFC2256])
794 identified by the specified distinguished names (each with an
795 optional unique identifier). Members of a group of unique names
796 are treated as individual user distinguished names, and not as
797 the names of other groups of unique names. How group membership
798 is determined is described in 5.2.5.
799
800 - subtree is the set of users whose distinguished names fall
801 within the scope of the unrefined subtrees (specificationFilter
802 components SHOULD NOT be used - they SHALL be ignored if
803 present).
804
805 c) SubtreeSpecification is used to specify a subtree relative to the
806 root DSE, and is not constrained by administrative areas. The
807 specificationFilter component SHOULD NOT be used. It SHALL be
808 ignored if present.
809
810 A subtree refinement is not allowed because membership in a
811 subtree whose specification includes only base and/or a
812 ChopSpecification can be evaluated in isolation, whereas
813 membership in a subtree definition using specificationFilter can
814 only be evaluated by obtaining information from the user's entry,
815 which is potentially in another directory server. Basic Access
816 Control is designed to avoid remote operations in the course of
817 making an access control decision.
818
819 d) ItemPermission contains a collection of users and their
820 permissions with respect to ProtectedItems within an itemFirst
821 specification. The permissions are specified in grantsAndDenials
822 as discussed in item f). Each of the permissions specified in
823 grantsAndDenials is considered to have the precedence level
824 specified in precedence for the purpose of the ACDF. If
825 precedence is omitted within ItemPermission, then precedence is
826 taken from the precedence specified for ACIItem.
827
828 e) UserPermission contains a collection of protected items and the
829 associated permissions with respect to userClasses within a
830 userFirst specification. The associated permissions are specified
831 in grantsAndDenials as discussed in item f). Each of the
832 permissions specified in grantsAndDenials is considered to have
833 the precedence level specified in precedence for the purpose of
834
835
836
837Legg Expires 16 December 2004 [Page 15]
838�
839INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
840
841
842 the ACDF. If precedence is omitted within UserPermission, the
843 precedence is taken from the precedence specified for ACIItem.
844
845 f) GrantsAndDenials specify the access rights that are granted or
846 denied by the ACI item.
847
848 g) UniqueIdentifier may be used by the authentication mechanism to
849 distinguish between instances of distinguished name reuse. If
850 this component is present, then for a requestor's name to match
851 the UserClasses of an ACIItem that grants permissions, in addition
852 to the requirement that the requestor's distinguished name match
853 the specified distinguished name, the authentication of the
854 requestor shall yield an associated unique identifier, and that
855 value shall match for equality with the specified value.
856
8573.2.5. Determining Group Membership
858
859 Determining whether a given requestor is a group member requires
860 checking two criteria. The determination may also be constrained if
861 the group definition is not known locally. The criteria for
862 membership and the treatment of non-local groups are discussed below.
863
864 a) A directory server is not required to perform a remote operation
865 to determine whether the requestor belongs to a particular group
866 for the purposes of Basic Access Control. If membership in the
867 group cannot be evaluated, the server shall assume that the
868 requestor does not belong to the group if the ACI item grants the
869 permission sought, and does belong to the group if it denies the
870 permission sought.
871
872 Access control administrators should beware of basing access
873 controls on membership of non-locally available groups or groups
874 which are available only through replication (and which may,
875 therefore, be out of date).
876
877 b) In order to determine whether the requestor is a member of a
878 userGroup user class, the following criteria apply:
879
880 - The entry named by the userGroup specification is an instance of
881 the object class groupOfNames or groupOfUniqueNames.
882
883 - The name of the requestor is a value of the member or
884 uniqueMember attribute of that entry.
885
886 Values of the member or uniqueMember attribute that do not match
887 the name of the requestor are ignored, even if they represent the
888 names of groups of which the originator could be found to be a
889 member. Hence, nested groups are not supported when evaluating
890
891
892
893Legg Expires 16 December 2004 [Page 16]
894�
895INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
896
897
898 access controls.
899
9003.3. ACI Operational Attributes
901
902 ACI is stored as values of operational attributes of entries and
903 subentries. The operational attributes are multi-valued, which
904 allows ACI to be represented as a set of ACI items.
905
9063.3.1. Prescriptive ACI
907
908 The prescriptiveACI attribute is defined as an operational attribute
909 of an access control subentry. It contains prescriptive ACI
910 applicable to entries within that subentry's scope.
911
912 The LDAP description [RFC2252] for the prescriptiveACI operational
913 attribute is:
914
915 ( 2.5.24.4 NAME 'prescriptiveACI'
916 EQUALITY directoryStringFirstComponentMatch
917 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
918 USAGE directoryOperation )
919
920 The directoryStringFirstComponentMatch matching rule is described in
921 [SCHEMA].
922
923 Prescriptive ACI within the subentries of a particular administrative
924 point never applies to the same or any other subentry of that
925 administrative point, but can be applicable to the subentries of
926 subordinate administrative points.
927
928 Note that prescriptiveACI attributes are not collective attributes.
929 Although the values of a prescriptiveACI attribute contribute to
930 access control decisions for each entry within the scope of the
931 subentry that holds the attribute, the prescriptiveACI attribute does
932 not appear as part of those entries.
933
9343.3.2. Entry ACI
935
936 The entryACI attribute is defined as an operational attribute of an
937 entry or subentry (not just access control subentries). It contains
938 entry ACI applicable to the entry or subentry in which it appears,
939 and that (sub)entry's contents.
940
941 The LDAP description [RFC2252] for the entryACI operational attribute
942 is:
943
944 ( 2.5.24.5 NAME 'entryACI'
945 EQUALITY directoryStringFirstComponentMatch
946
947
948
949Legg Expires 16 December 2004 [Page 17]
950�
951INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
952
953
954 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
955 USAGE directoryOperation )
956
9573.3.3. Subentry ACI
958
959 The subentryACI attribute is defined as an operational attribute of
960 administrative entries [ADMIN] (for any aspect of administration).
961 It contains subentry ACI that applies to each of the subentries of
962 the administrative entry in which it appears. Only administrative
963 entries are permitted to contain a subentryACI attribute.
964
965 The LDAP description [RFC2252] for the subentryACI operational
966 attribute is:
967
968 ( 2.5.24.6 NAME 'subentryACI'
969 EQUALITY directoryStringFirstComponentMatch
970 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
971 USAGE directoryOperation )
972
9733.3.4. Protecting the ACI
974
975 ACI operational attributes are subject to the same protection
976 mechanisms as other attributes.
977
978 The identificationTag provides an identifier for each ACI item. This
979 tag can be used to remove a specific ACI item value, or to protect it
980 by prescriptive ACI, entry ACI or subentry ACI. Directory rules
981 ensure that only one ACI item per access control operational
982 attribute possesses any specific identificationTag value.
983
984 The creation of subentries for an administrative entry may be
985 controlled by means of the subentryACI operational attribute in the
986 administrative entry. The right to create prescriptive access
987 controls may also be governed directly by security policy; this
988 provision is required to create access controls in new autonomous
989 administrative areas [ADMIN].
990
9913.4. Access Control Decision Points for LDAP Operations
992
993 Each LDAP operation involves making a series of access control
994 decisions on the various protected items that the operation accesses.
995
996 For some operations (e.g., the Modify operation), each such access
997 control decision must grant access for the operation to succeed; if
998 access is denied to any protected item, the whole operation fails.
999 For other operations (e.g., the Search operation), protected items to
1000 which access is denied are simply omitted from the operation result
1001 and processing continues.
1002
1003
1004
1005Legg Expires 16 December 2004 [Page 18]
1006�
1007INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1008
1009
1010 If the requested access is denied, further access control decisions
1011 may be needed to determine if the user has DiscloseOnError
1012 permissions to the protected item. Only if DiscloseOnError
1013 permission is granted may the server respond with an error that
1014 reveals the existence of the protected item. In all other cases, the
1015 server MUST act so as to conceal the existence of the protected item.
1016
1017 The permissions required to access each protected item, are specified
1018 for each operation in the following sections. The algorithm by which
1019 a permission is determined to be granted or not granted is specified
1020 in Section 3.5.
1021
10223.4.1. Common Elements of Procedure
1023
1024 This section defines the elements of procedure that are common to all
1025 LDAP operations when Basic Access Control is in effect.
1026
10273.4.1.1. Alias Dereferencing
1028
1029 If, in the process of locating a target object entry (nominated in an
1030 LDAP request), alias dereferencing is required, no specific
1031 permissions are necessary for alias dereferencing to take place.
1032 However, if alias dereferencing would result in a referral being
1033 returned, the following sequence of access controls applies.
1034
1035 1) Read permission is required to the alias entry. If permission is
1036 not granted, the operation fails in accordance to the procedure
1037 described in 5.4.1.3.
1038
1039 2) Read permission is required to the aliasedEntryName attribute and
1040 to the single value that it contains. If permission is not
1041 granted, the operation fails and the resultCode
1042 aliasDereferencingProblem SHALL be returned. The matchedDN field
1043 of the LDAPResult SHALL contain the name of the alias entry.
1044
1045 In addition to the access controls described above, security policy
1046 may prevent the disclosure of knowledge of other servers which would
1047 otherwise be conveyed in a referral. If such a policy is in effect
1048 the resultCode insufficientAccessRights SHALL be returned.
1049
10503.4.1.2. Return of Names in Errors
1051
1052 Certain LDAP result codes, i.e., noSuchObject, aliasProblem,
1053 invalidDNSyntax and aliasDereferencingProblem, provide the name of an
1054 entry in the matchedDN field of an LDAPResult. The DN of an entry
1055 SHALL only be provided in the matchedDN field if DiscloseOnError
1056 permission is granted to that entry, otherwise, the matchedDN field
1057 of the LDAPResult SHALL either contain the name of the next superior
1058
1059
1060
1061Legg Expires 16 December 2004 [Page 19]
1062�
1063INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1064
1065
1066 entry to which DiscloseOnError permission is granted, or, if
1067 DiscloseOnError permission is not granted to any superior entry, the
1068 name of the root DSE (i.e., a zero-length LDAPDN).
1069
10703.4.1.3. Non-disclosure of Entry Existence
1071
1072 If, while performing an LDAP operation, the necessary entry level
1073 permission is not granted to the specified target object entry -
1074 e.g., the entry to be modified - the operation fails; if
1075 DiscloseOnError permission is granted to the target entry, the
1076 resultCode insufficientAccessRights SHALL be returned, otherwise, the
1077 resultCode noSuchObject SHALL be returned. The matchedDN field of
1078 the LDAPResult SHALL either contain the name of the next superior
1079 entry to which DiscloseOnError permission is granted, or, if
1080 DiscloseOnError permission is not granted to any superior entry, the
1081 name of the root DSE (i.e., a zero-length LDAPDN).
1082
1083 Additionally, whenever the server detects an operational error
1084 (including a referral resultCode), it shall ensure that in returning
1085 that error it does not compromise the existence of the named target
1086 entry and any of its superiors. For example, before returning a
1087 resultCode of timeLimitExceeded or notAllowedOnNonLeaf, the server
1088 verifies that DiscloseOnError permission is granted to the target
1089 entry. If it is not, the procedure described in the paragraph above
1090 SHALL be followed.
1091
10923.4.2. Compare Operation Decision Points
1093
1094 The following sequence of access controls applies for an entry being
1095 compared.
1096
1097 1) Read permission for the entry to be compared is required. If
1098 permission is not granted, the operation fails in accordance with
1099 5.4.1.3.
1100
1101 2) Compare permission for the attribute to be compared is required.
1102 If permission is not granted, the operation fails: if
1103 DiscloseOnError permission is granted to the attribute being
1104 compared, a resultCode of insufficientAccessRight SHALL be
1105 returned, otherwise, the resultCode noSuchAttribute SHALL be
1106 returned.
1107
1108 3) If there exists a value within the attribute being compared that
1109 matches the purported argument and for which Compare permission is
1110 granted, the operation returns the resultCode compareTrue,
1111 otherwise the operation returns the resultCode compareFalse.
1112
11133.4.3. Search Operation Decision Points
1114
1115
1116
1117Legg Expires 16 December 2004 [Page 20]
1118�
1119INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1120
1121
1122 The following sequence of access controls applies for a portion of
1123 the DIT being searched.
1124
1125 1) No specific permission is required to the entry identified by the
1126 baseObject argument in order to initiate a search. However, if
1127 the baseObject is within the scope of the SearchArgument (i.e.,
1128 when the subset argument specifies baseObject or wholeSubtree) the
1129 access controls specified in 2) through 5) will apply.
1130
1131 2) Browse or Read permission is required for the single entry within
1132 the scope of a baseObject search. An entry for which neither of
1133 these permissions is granted is ignored.
1134
1135 This differs from the X.500 DAP Search operation where the Browse
1136 permission alone is required. An entry with Read permission but
1137 not Browse permission cannot be searched but can still be examined
1138 with an X.500 DAP Read operation. LDAP relies on baseObject
1139 search operations to provide the functionality of the DAP Read
1140 operation. Accepting Read permission for the target entry in a
1141 baseObject search gives an LDAP baseObject search the same access
1142 rights to the entry as the DAP Read operation.
1143
1144 3) Browse permission is required for an entry within the scope of a
1145 singleLevel or wholeSubtree search to be a candidate for
1146 consideration. Entries for which this permission is not granted
1147 are ignored.
1148
1149 4) The filter argument is applied to each entry left to be considered
1150 after taking 2) and 3) into account, in accordance with the
1151 following:
1152
1153 a) For a present Filter item, if there exists an attribute value
1154 such that the attribute type of the value (possibly a subtype
1155 of the attribute type in the FilterItem) satisfies the Filter
1156 item and FilterMatch permission is granted for the value and
1157 for the attribute type then the FilterItem evaluates to TRUE,
1158 otherwise, it evaluates to FALSE.
1159
1160 If a directory server does not support True/False filters
1161 [FILTER] on LDAP searches, or if directory clients do not
1162 exploit this capability, then access control administrators
1163 SHOULD grant FilterMatch permission for the objectClass
1164 attribute over entries where Read permission is also granted so
1165 that an LDAP baseObject search with a filter testing for the
1166 presence of the objectClass attribute will have the same access
1167 rights to the target entry as the DAP Read operation. An LDAP
1168 baseObject search with a True filter does not require
1169 FilterMatch permission for any particular attribute type.
1170
1171
1172
1173Legg Expires 16 December 2004 [Page 21]
1174�
1175INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1176
1177
1178 b) For an equalityMatch, substrings, greaterOrEqual, lessOrEqual,
1179 approxMatch or extensibleMatch Filter item, if there exists an
1180 attribute value such that the value satisfies the Filter item
1181 and FilterMatch permission is granted for the value and for its
1182 attribute type (possibly a subtype of the attribute type in the
1183 FilterItem) then the FilterItem evaluates to TRUE, otherwise,
1184 it evaluates to FALSE.
1185
1186 Once the access controls defined in 2) through 4) have been applied,
1187 an entry is either selected or discarded.
1188
1189 5) For each selected entry the information returned is as follows:
1190
1191 a) ReturnDN permission for an entry is required in order to return
1192 its distinguished name in a SearchResultEntry response. If
1193 this permission is not granted, the server SHALL either, return
1194 the name of a valid alias to the entry, or, omit the entry from
1195 the search result.
1196
1197 If the base entry of the search was located using an alias,
1198 then that alias is known to be a valid alias. Otherwise, how
1199 it is ensured that the alias is valid is outside the scope of
1200 this specification.
1201
1202 Where a server has a choice of alias names available to it for
1203 return, it is RECOMMENDED that where possible it choose the
1204 same alias name for repeated requests by the same client, in
1205 order to provide a consistent service.
1206
1207 b) If the typesOnly field of the SearchRequest is TRUE then, for
1208 each attribute type that is to be returned, Read permission for
1209 the attribute type and Read permission for at least one value
1210 of the attribute is required. If permission is not granted,
1211 the attribute type is omitted from the attribute list in the
1212 SearchResultEntry. If as a consequence of applying these
1213 controls no attribute type information is selected, the
1214 SearchResultEntry is returned but no attribute type information
1215 is conveyed with it (i.e., the attribute list is empty).
1216
1217 c) If the typesOnly field of the SearchRequest is FALSE then Read
1218 permission is required for each attribute type and for each
1219 attribute value that is to be returned. If permission to an
1220 attribute type is not granted, the attribute is omitted from
1221 the SearchResultEntry. If permission to an attribute value is
1222 not granted, the value is omitted from its corresponding
1223 attribute. If all values of an attribute are omitted then the
1224 attribute type is omitted from the attribute list in the
1225 SearchResultEntry. If as a consequence of applying these
1226
1227
1228
1229Legg Expires 16 December 2004 [Page 22]
1230�
1231INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1232
1233
1234 controls no attribute information is selected, the
1235 SearchResultEntry is returned but no attribute information is
1236 conveyed with it (i.e., the attribute list is empty).
1237
1238 6) If as a consequence of applying the above controls to the entire
1239 scoped subtree the search result contains no entries (excluding
1240 any SearchResultReferences) and if DiscloseOnError permission is
1241 not granted to the entry identified by the baseObject argument,
1242 the operation fails and the resultCode noSuchObject SHALL be
1243 returned. The matchedDN field of the LDAPResult SHALL either
1244 contain the name of the next superior entry to which
1245 DiscloseOnError permission is granted, or the name of the root DSE
1246 (i.e., a zero-length LDAPDN). Otherwise, the operation succeeds
1247 but no subordinate information is conveyed with it.
1248
1249 Security policy may prevent the disclosure of knowledge of other
1250 servers which would otherwise be conveyed as SearchResultReferences.
1251 If such a policy is in effect SearchResultReferences are omitted from
1252 the search result.
1253
1254 No specific permissions are necessary to allow alias dereferencing to
1255 take place in the course of a search operation. However, for each
1256 alias entry encountered, if alias dereferencing would result in a
1257 SearchResultReference being returned, the following access controls
1258 apply: Read permission is required to the alias entry, the
1259 aliasedEntryName attribute and to the single value that it contains.
1260 If any of these permissions is not granted, the SearchResultReference
1261 SHALL be omitted from the search result.
1262
12633.4.4. Add Operation Decision Points
1264
1265 The following sequence of access controls apply for an entry being
1266 added.
1267
1268 1) No specific permission is required for the immediate superior of
1269 the entry identified by the entry field of the AddRequest.
1270
1271 2) If an entry already exists with a distinguished name equal to the
1272 entry field the operation fails; if DiscloseOnError or Add
1273 permission is granted to the existing entry, the resultCode
1274 entryAlreadyExists SHALL be returned, otherwise, the procedure
1275 described in 5.4.1.3 is followed with respect to the entry being
1276 added.
1277
1278 3) Add permission is required for the new entry being added. If this
1279 permission is not granted, the operation fails; the procedure
1280 described in 5.4.1.3 is followed with respect to the entry being
1281 added.
1282
1283
1284
1285Legg Expires 16 December 2004 [Page 23]
1286�
1287INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1288
1289
1290 The Add permission is provided as prescriptive ACI when attempting
1291 to add an entry and as prescriptive ACI or subentry ACI when
1292 attempting to add a subentry. Any values of the entryACI
1293 attribute in the entry being added SHALL be ignored.
1294
1295 4) Add permission is required for each attribute type and for each
1296 value that is to be added. If any permission is absent, the
1297 operation fails and the resultCode insufficientAccessRights SHALL
1298 be returned.
1299
13003.4.5. Delete Operation Decision Points
1301
1302 The following sequence of access controls apply for an entry being
1303 removed.
1304
1305 1) Remove permission is required for the entry being removed. If
1306 this permission is not granted, the operation fails in accordance
1307 with 5.4.1.3.
1308
1309 2) No specific permissions are required for any of the attributes and
1310 attribute values present within the entry being removed.
1311
13123.4.6. Modify Operation Decision Points
1313
1314 The following sequence of access controls apply for an entry being
1315 modified.
1316
1317 1) Modify permission is required for the entry being modified. If
1318 this permission is not granted, the operation fails in accordance
1319 with 5.4.1.3.
1320
1321 2) For each of the specified modification arguments applied in
1322 sequence, the following permissions are required:
1323
1324 a) Add permission is required for each of the attribute values
1325 specified in an add modification. If the attribute does not
1326 currently exist then Add permission for the attribute type is
1327 also required. If these permissions are not granted, or any of
1328 the attribute values already exist, the operation fails; if an
1329 attribute value already exists and DiscloseOnError or Add is
1330 granted to that attribute value, the resultCode
1331 attributeOrValueExists SHALL be returned, otherwise, the
1332 resultCode insufficientAccessRights SHALL be returned.
1333
1334 b) Remove permission is required for the attribute type specified
1335 in a delete modification with no listed attribute values. If
1336 this permission is not granted, the operation fails; if
1337 DiscloseOnError permission is granted to the attribute being
1338
1339
1340
1341Legg Expires 16 December 2004 [Page 24]
1342�
1343INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1344
1345
1346 removed and the attribute exists, the resultCode
1347 insufficientAccessRights SHALL be returned, otherwise, the
1348 resultCode noSuchAttribute SHALL be returned.
1349
1350 No specific permissions are required for any of the attribute
1351 values present within the attribute being removed.
1352
1353 c) Remove permission is required for each of the values in a
1354 delete modification with listed attribute values. If all
1355 current values of the attribute are specified to be removed
1356 (which causes the attribute itself to be removed), then Remove
1357 permission for the attribute type is also required. If these
1358 permissions are not granted, the operation fails; if
1359 DiscloseOnError permission is granted to any of the attribute
1360 values being removed, the resultCode insufficientAccessRights
1361 SHALL be returned, otherwise, the resultCode noSuchAttribute
1362 SHALL be returned.
1363
1364 d) Remove and Add permission is required for the attribute type,
1365 and Add permission is required for each of the specified
1366 attribute values, in a replace modification. If these
1367 permissions are not granted the operation fails and the
1368 resultCode insufficientAccessRights SHALL be returned.
1369
1370 No specific permissions are required to remove any existing
1371 attribute values of the attribute being replaced.
1372
13733.4.7. Modify DN Operation Decision Points
1374
1375 The following sequence of access controls apply for an entry having
1376 its DN modified.
1377
1378 1) If the effect of the operation is to change the RDN of the entry
1379 then Rename permission (determined with respect to its original
1380 name) is required for the entry. If this permission is not
1381 granted, the operation fails; the procedure described in 5.4.1.3
1382 is followed with respect to the entry being renamed (considered
1383 with its original name).
1384
1385 No additional permissions are required even if, as a result of
1386 modifying the RDN of the entry, a new distinguished value needs to
1387 be added, or an old one removed. No specific permissions are
1388 required for the subordinates of the renamed entry.
1389
1390 2) If the effect of the operation is to move an entry to a new
1391 superior in the DIT then Export permission (determined with
1392 respect to its original name) and Import permission (determined
1393 with respect to its new name) are required for the entry. If
1394
1395
1396
1397Legg Expires 16 December 2004 [Page 25]
1398�
1399INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1400
1401
1402 either of these permissions is not granted, the operation fails;
1403 the procedure described in 5.4.1.3 is followed with respect to the
1404 entry being moved (considered with its original name).
1405
1406 The Import permission is provided as prescriptive ACI when
1407 attempting to move an entry and as prescriptive ACI or subentry
1408 ACI when attempting to move a subentry. Any values of the
1409 entryACI attribute in the entry or subentry being moved SHALL be
1410 ignored.
1411
1412 No specific permissions are required for the subordinates of the
1413 moved entry.
1414
1415 Note that a single Modify DN Operation may simultaneously rename and
1416 move an entry.
1417
14183.5. Access Control Decision Function
1419
1420 This section describes how ACI items are processed in order to decide
1421 whether to grant or deny a particular requestor a specified
1422 permission to a given protected item.
1423
1424 Section 3.5.1 describes the inputs to the ACDF. Sections 3.5.2
1425 through 3.5.4 describe the steps in the ACDF. The output is a
1426 decision to grant or deny access to the protected item.
1427
14283.5.1. Inputs
1429
1430 For each invocation of the ACDF, the inputs are:
1431
1432 a) the requestor's Distinguished Name, unique identifier, and
1433 authentication level, or as many of these as are available;
1434
1435 b) the protected item (an entry, an attribute, or an attribute value)
1436 being considered at the current decision point for which the ACDF
1437 was invoked;
1438
1439 c) the requested permission specified for the current decision point;
1440
1441 d) the ACI items applicable to the entry containing (or which is) the
1442 protected item.
1443
1444 In addition, if the ACI items include any of the protected item
1445 constraints described in 5.2.1.4, the whole entry and the number of
1446 immediate subordinates of its superior entry may also be required as
1447 inputs.
1448
14493.5.2. Tuples
1450
1451
1452
1453Legg Expires 16 December 2004 [Page 26]
1454�
1455INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1456
1457
1458 For each ACI item, expand the item into a set of tuples, one tuple
1459 for each element of the itemPermissions and userPermissions sets,
1460 containing the following elements:
1461
1462 ( userClasses, authenticationLevel, protectedItems,
1463 grantsAndDenials, precedence )
1464
1465 Collect all tuples from all ACI items into a single set.
1466
1467 For any tuple whose grantsAndDenials specify both grants and denials,
1468 replace the tuple with two tuples - one specifying only grants and
1469 the other specifying only denials.
1470
14713.5.3. Discarding Irrelevant Tuples
1472
1473 Perform the following steps to discard all irrelevant tuples:
1474
1475 1) Discard all tuples that do not include the requestor in the
1476 tuple's userClasses as follows:
1477
1478 a) For tuples that grant access, discard all tuples that do not
1479 include the requestor's identity in the tuples's userClasses
1480 element, taking into account UniqueIdentifier elements if
1481 relevant. Where a tuple's userClasses specifies a
1482 UniqueIdentifier, a matching value shall be present in the
1483 requestor's identity if the tuple is not to be discarded.
1484 Discard tuples that specify an authentication level higher than
1485 that associated with the requestor.
1486
1487 b) For tuples that deny access, retain all tuples that include the
1488 requestor in the tuple's userClasses element, taking into
1489 account uniqueIdentifier elements if relevant. Also retain all
1490 tuples that deny access and which specify an authentication
1491 level higher than that associated with the requestor. This
1492 reflects the fact that the requestor has not adequately proved
1493 non-membership in the user class for which the denial is
1494 specified. All other tuples that deny access are discarded.
1495
1496 2) Discard all tuples that do not include the protected item in
1497 protectedItems.
1498
1499 3) Examine all tuples that include maxValueCount, maxImmSub or
1500 restrictedBy. Discard all such tuples which grant access and
1501 which do not satisfy any of these constraints.
1502
1503 4) Discard all tuples that do not include the requested permission as
1504 one of the set bits in grantsAndDenials.
1505
1506
1507
1508
1509Legg Expires 16 December 2004 [Page 27]
1510�
1511INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1512
1513
1514 The order in which tuples are discarded does not change the output of
1515 the ACDF.
1516
15173.5.4. Highest Precedence and Specificity
1518
1519 Perform the following steps to select those tuples of highest
1520 precedence and specificity:
1521
1522 1) Discard all tuples having a precedence less than the highest
1523 precedence among the remaining tuples.
1524
1525 2) If more than one tuple remains, choose the tuples with the most
1526 specific user class. If there are any tuples matching the
1527 requestor with UserClasses element name or thisEntry, discard all
1528 other tuples. Otherwise if there are any tuples matching
1529 UserGroup, discard all other tuples. Otherwise if there are any
1530 tuples matching subtree, discard all other tuples.
1531
1532 3) If more than one tuple remains, choose the tuples with the most
1533 specific protected item. If the protected item is an attribute
1534 and there are tuples that specify the attribute type explicitly,
1535 discard all other tuples. If the protected item is an attribute
1536 value, and there are tuples that specify the attribute value
1537 explicitly, discard all other tuples. A protected item which is a
1538 rangeOfValues is to be treated as specifying an attribute value
1539 explicitly.
1540
1541 Grant access if and only if one or more tuples remain and all grant
1542 access. Otherwise deny access.
1543
15444. Simplified Access Control
1545
1546 This section describes the functionality of the Simplified Access
1547 Control scheme. It provides a subset of the functionality found in
1548 Basic Access Control.
1549
1550 When Simplified Access Control is used, the accessControlScheme
1551 operational attribute [ACA] SHALL have the value
1552 simplified-access-control (2.5.28.2).
1553
1554 The functionality of Simplified Access Control is the same as Basic
1555 Access Control except that:
1556
1557 1) Access control decisions shall be made only on the basis of values
1558 of prescriptiveACI and subentryACI operational attributes. Values
1559 of the entryACI attribute, if present, SHALL NOT be used to make
1560 access control decisions.
1561
1562
1563
1564
1565Legg Expires 16 December 2004 [Page 28]
1566�
1567INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1568
1569
1570 2) Access Control Inner Areas are not used. Values of
1571 prescriptiveACI attributes appearing in subentries of ACIPs SHALL
1572 NOT be used to make access control decisions.
1573
1574 All other provisions SHALL be as defined for Basic Access Control.
1575
15765. Security Considerations
1577
1578 Access control administrators should beware of basing access controls
1579 on membership of non-locally available groups or groups which are
1580 available only through replication (and which may, therefore, be out
1581 of date).
1582
1583 A particular DSA might not have the ACI governing any data that it
1584 caches. Administrators should be aware that a directory server with
1585 the capability of caching may pose a significant security risk to
1586 other directory servers, in that it may reveal information to
1587 unauthorized users.
1588
15896. Acknowledgements
1590
1591 This document is derived from, and duplicates substantial portions
1592 of, Section 8 of X.501 [X501], and selected extracts from X.511
1593 [X511].
1594
15957. IANA Considerations
1596
1597 The Internet Assigned Numbers Authority (IANA) is requested to update
1598 the LDAP descriptors registry [BCP64] as indicated by the following
1599 templates:
1600
1601 Subject: Request for LDAP Descriptor Registration
1602 Descriptor (short name): basic-access-control
1603 Object Identifier: 2.5.28.1
1604 Person & email address to contact for further information:
1605 Steven Legg <steven.legg@adacel.com.au>
1606 Usage: other (access control scheme)
1607 Specification: RFC XXXX
1608 Author/Change Controller: IESG
1609
1610 Subject: Request for LDAP Descriptor Registration
1611 Descriptor (short name): simplified-access-control
1612 Object Identifier: 2.5.28.2
1613 Person & email address to contact for further information:
1614 Steven Legg <steven.legg@adacel.com.au>
1615 Usage: other (access control scheme)
1616 Specification: RFC XXXX
1617 Author/Change Controller: IESG
1618
1619
1620
1621Legg Expires 16 December 2004 [Page 29]
1622�
1623INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1624
1625
1626 Subject: Request for LDAP Descriptor Registration
1627 Descriptor (short name): prescriptiveACI
1628 Object Identifier: 2.5.24.4
1629 Person & email address to contact for further information:
1630 Steven Legg <steven.legg@adacel.com.au>
1631 Usage: attribute type
1632 Specification: RFC XXXX
1633 Author/Change Controller: IESG
1634
1635 Subject: Request for LDAP Descriptor Registration
1636 Descriptor (short name): entryACI
1637 Object Identifier: 2.5.24.5
1638 Person & email address to contact for further information:
1639 Steven Legg <steven.legg@adacel.com.au>
1640 Usage: attribute type
1641 Specification: RFC XXXX
1642 Author/Change Controller: IESG
1643
1644 Subject: Request for LDAP Descriptor Registration
1645 Descriptor (short name): subentryACI
1646 Object Identifier: 2.5.24.6
1647 Person & email address to contact for further information:
1648 Steven Legg <steven.legg@adacel.com.au>
1649 Usage: attribute type
1650 Specification: RFC XXXX
1651 Author/Change Controller: IESG
1652
1653Appendix A. LDAP Specific Encoding for the ACI Item Syntax
1654
1655 This appendix is non-normative.
1656
1657 The LDAP-specific encoding for the ACI Item syntax is specified by
1658 the Generic String Encoding Rules [GSER]. The ABNF [RFC2234] in this
1659 appendix for this syntax is provided only as a convenience and is
1660 equivalent to the encoding specified by the application of GSER.
1661 Since the ACI Item ASN.1 type may be extended in future editions of
1662 X.501 [X501], the provided ABNF should be regarded as a snapshot in
1663 time. The LDAP-specific encoding for any extension to the ACI Item
1664 ASN.1 type can be determined from the rules of GSER.
1665
1666 In the event that there is a discrepancy between this ABNF and the
1667 encoding determined by GSER, then GSER is to be taken as definitive.
1668
1669 ACIItem = "{" sp aci-identificationTag ","
1670 sp aci-precedence ","
1671 sp aci-authenticationLevel ","
1672 sp aci-itemOrUserFirst
1673 sp "}"
1674
1675
1676
1677Legg Expires 16 December 2004 [Page 30]
1678�
1679INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1680
1681
1682 aci-identificationTag = id-identificationTag msp
1683 DirectoryString
1684 aci-precedence = id-precedence msp Precedence
1685 aci-authenticationLevel = id-authenticationLevel msp
1686 AuthenticationLevel
1687 aci-itemOrUserFirst = id-itemOrUserFirst msp
1688 ItemOrUserFirst
1689 id-identificationTag = %x69.64.65.6E.74.69.66.69.63.61.74.69.6F
1690 %x6E.54.61.67 ; "identificationTag"
1691 id-precedence = %x70.72.65.63.65.64.65.6E.63.65
1692 ; "precedence"
1693 id-authenticationLevel = %x61.75.74.68.65.6E.74.69.63.61.74.69.6F
1694 %x6E.4C.65.76.65.6C
1695 ; "authenticationLevel"
1696 id-itemOrUserFirst = %x69.74.65.6D.4F.72.55.73.65.72.46.69.72
1697 %x73.74 ; "itemOrUserFirst"
1698
1699 Precedence = INTEGER-0-MAX ; MUST be less than 256
1700
1701 AuthenticationLevel = al-basicLevels / al-other
1702 al-basicLevels = id-basicLevels ":" BasicLevels
1703 al-other = id-other ":" EXTERNAL
1704 id-basicLevels = %x62.61.73.69.63.4C.65.76.65.6C.73
1705 ; "basicLevels"
1706 id-other = %x6F.74.68.65.72 ; "other"
1707
1708 BasicLevels = "{" sp bl-level
1709 [ "," sp bl-localQualifier ]
1710 [ "," sp bl-signed ]
1711 sp "}"
1712
1713 bl-level = id-level msp Level
1714 bl-localQualifier = id-localQualifier msp INTEGER
1715 bl-signed = id-signed msp BOOLEAN
1716 Level = id-none / id-simple / id-strong
1717 id-level = %x6C.65.76.65.6C ; "level"
1718 id-localQualifier = %x6C.6F.63.61.6C.51.75.61.6C.69.66.69.65.72
1719 ; "localQualifier"
1720 id-signed = %x73.69.67.6E.65.64 ; "signed"
1721 id-none = %x6E.6F.6E.65 ; "none"
1722 id-simple = %x73.69.6D.70.6C.65 ; "simple"
1723 id-strong = %x73.74.72.6F.6E.67 ; "strong"
1724
1725 ItemOrUserFirst = ( id-itemFirst ":" ItemFirst ) /
1726 ( id-userFirst ":" UserFirst )
1727 id-itemFirst = %x69.74.65.6D.46.69.72.73.74 ; "itemFirst"
1728 id-userFirst = %x75.73.65.72.46.69.72.73.74 ; "userFirst"
1729
1730
1731
1732
1733Legg Expires 16 December 2004 [Page 31]
1734�
1735INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1736
1737
1738 ItemFirst = "{" sp if-protectedItems ","
1739 sp if-itemPermissions
1740 sp "}"
1741 if-protectedItems = id-protectedItems msp ProtectedItems
1742 if-itemPermissions = id-itemPermissions msp ItemPermissions
1743 id-protectedItems = %x70.72.6F.74.65.63.74.65.64.49.74.65.6D.73
1744 ; "protectedItems"
1745 id-itemPermissions = %x69.74.65.6D.50.65.72.6D.69.73.73.69.6F.6E
1746 %x73 ; "itemPermissions"
1747
1748 UserFirst = "{" sp uf-userClasses ","
1749 sp uf-userPermissions
1750 sp "}"
1751 uf-userClasses = id-userClasses msp UserClasses
1752 uf-userPermissions = id-userPermissions msp UserPermissions
1753 id-userClasses = %x75.73.65.72.43.6C.61.73.73.65.73
1754 ; "userClasses"
1755 id-userPermissions = %x75.73.65.72.50.65.72.6D.69.73.73.69.6F.6E
1756 %x73 ; "userPermissions"
1757
1758 ItemPermissions = "{" [ sp ItemPermission
1759 *( "," sp ItemPermission ) ] sp "}"
1760 ItemPermission = "{" [ sp ip-precedence "," ]
1761 sp ip-userClasses ","
1762 sp ip-grantsAndDenials
1763 sp "}"
1764 ip-precedence = id-precedence msp Precedence
1765 ip-userClasses = id-userClasses msp UserClasses
1766 ip-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials
1767 id-grantsAndDenials = %x67.72.61.6E.74.73.41.6E.64.44.65.6E.69.61
1768 %x6C.73 ; "grantsAndDenials"
1769
1770 UserClasses = "{" [ sp uc-allUsers ]
1771 [ sep sp uc-thisEntry ]
1772 [ sep sp uc-name ]
1773 [ sep sp uc-userGroup ]
1774 [ sep sp uc-subtree ]
1775 sp "}"
1776 uc-allUsers = id-allUsers msp NULL
1777 uc-thisEntry = id-thisEntry msp NULL
1778 uc-name = id-name msp NameAndOptionalUIDs
1779 uc-userGroup = id-userGroup msp NameAndOptionalUIDs
1780 uc-subtree = id-subtree msp SubtreeSpecifications
1781 id-allUsers = %x61.6C.6C.55.73.65.72.73 ; "allUsers"
1782 id-thisEntry = %x74.68.69.73.45.6E.74.72.79 ; "thisEntry"
1783 id-name = %x6E.61.6D.65 ; "name"
1784 id-userGroup = %x75.73.65.72.47.72.6F.75.70 ; "userGroup"
1785 id-subtree = %x73.75.62.74.72.65.65 ; "subtree"
1786
1787
1788
1789Legg Expires 16 December 2004 [Page 32]
1790�
1791INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1792
1793
1794 NameAndOptionalUIDs = "{" sp NameAndOptionalUID
1795 *( "," sp NameAndOptionalUID ) sp "}"
1796 NameAndOptionalUID = "{" sp nu-dn
1797 [ "," sp nu-uid ]
1798 sp "}"
1799 nu-dn = id-dn msp DistinguishedName
1800 nu-uid = id-uid msp UniqueIdentifier
1801 UniqueIdentifier = BIT-STRING
1802 id-dn = %x64.6E ; "dn"
1803 id-uid = %x75.69.64 ; "uid"
1804
1805 SubtreeSpecifications = "{" sp SubtreeSpecification
1806 *( "," sp SubtreeSpecification ) sp "}"
1807
1808 UserPermissions = "{" [ sp UserPermission
1809 *( "," sp UserPermission ) ] sp "}"
1810 UserPermission = "{" [ sp up-precedence "," ]
1811 sp up-protectedItems ","
1812 sp up-grantsAndDenials
1813 sp "}"
1814 up-precedence = id-precedence msp Precedence
1815 up-protectedItems = id-protectedItems msp ProtectedItems
1816 up-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials
1817
1818 ProtectedItems = "{" [ sp pi-entry ]
1819 [ sep sp pi-allUserAttributeTypes ]
1820 [ sep sp pi-attributeType ]
1821 [ sep sp pi-allAttributeValues ]
1822 [ sep sp pi-allUserTypesAndValues ]
1823 [ sep sp pi-attributeValue ]
1824 [ sep sp pi-selfValue ]
1825 [ sep sp pi-rangeOfValues ]
1826 [ sep sp pi-maxValueCount ]
1827 [ sep sp pi-maxImmSub ]
1828 [ sep sp pi-restrictedBy ]
1829 ; contexts omitted
1830 [ sep sp pi-classes ]
1831 sp "}"
1832
1833 pi-entry = id-entry msp NULL
1834 pi-allUserAttributeTypes = id-allUserAttributeTypes msp NULL
1835 pi-attributeType = id-attributeType msp AttributeTypes
1836 pi-allAttributeValues = id-allAttributeValues msp
1837 AttributeTypes
1838 pi-allUserTypesAndValues = id-allUserAttributeTypesAndValues msp
1839 NULL
1840 pi-attributeValue = id-attributeValue msp
1841 AttributeTypeAndValues
1842
1843
1844
1845Legg Expires 16 December 2004 [Page 33]
1846�
1847INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1848
1849
1850 pi-selfValue = id-selfValue msp AttributeTypes
1851 pi-rangeOfValues = id-rangeOfValues msp Filter
1852 pi-maxValueCount = id-maxValueCount msp MaxValueCounts
1853 pi-maxImmSub = id-maxImmSub msp INTEGER
1854 pi-restrictedBy = id-restrictedBy msp RestrictedValues
1855 pi-classes = id-classes msp Refinement
1856 id-entry = %x65.6E.74.72.79 ; "entry"
1857 id-allUserAttributeTypes = %x61.6C.6C.55.73.65.72.41.74.74.72.69
1858 %x62.75.74.65.54.79.70.65.73
1859 ; "allUserAttributeTypes"
1860 id-attributeType = %x61.74.74.72.69.62.75.74.65.54.79.70
1861 %x65 ; "attributeType"
1862 id-allAttributeValues = %x61.6C.6C.41.74.74.72.69.62.75.74.65
1863 %x56.61.6C.75.65.73
1864 ; "allAttributeValues"
1865 id-attributeValue = %x61.74.74.72.69.62.75.74.65.56.61.6C
1866 %x75.65 ; "attributeValue"
1867 id-selfValue = %x73.65.6C.66.56.61.6C.75.65
1868 ; "selfValue"
1869 id-rangeOfValues = %x72.61.6E.67.65.4F.66.56.61.6C.75.65
1870 %x73 ; "rangeOfValues"
1871 id-maxValueCount = %x6D.61.78.56.61.6C.75.65.43.6F.75.6E
1872 %x74 ; "maxValueCount"
1873 id-maxImmSub = %x6D.61.78.49.6D.6D.53.75.62
1874 ; "maxImmSub"
1875 id-restrictedBy = %x72.65.73.74.72.69.63.74.65.64.42.79
1876 ; "restrictedBy"
1877 id-classes = %x63.6C.61.73.73.65.73 ; "classes"
1878
1879 id-allUserAttributeTypesAndValues = %x61.6C.6C.55.73.65.72.41.74
1880 %x74.72.69.62.75.74.65.54.79.70.65.73
1881 %x41.6E.64.56.61.6C.75.65.73
1882 ; "allUserAttributeTypesAndValues"
1883
1884 AttributeTypes = "{" sp AttributeType
1885 *( "," sp AttributeType ) sp "}"
1886
1887 AttributeTypeAndValues = "{" sp AttributeTypeAndValue
1888 *( "," sp AttributeTypeAndValue )
1889 sp "}"
1890
1891 AttributeTypeAndValue = "{" sp atav-type ","
1892 sp atav-value
1893 sp "}"
1894 atav-type = id-type msp AttributeType
1895 atav-value = id-value msp Value
1896 id-type = %x74.79.70.65 ; "type"
1897 id-value = %x76.61.6C.75.65 ; "value"
1898
1899
1900
1901Legg Expires 16 December 2004 [Page 34]
1902�
1903INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1904
1905
1906 MaxValueCounts = "{" sp MaxValueCount
1907 *( "," sp MaxValueCount ) sp "}"
1908 MaxValueCount = "{" sp mvc-type ","
1909 sp mvc-maxCount
1910 sp "}"
1911 mvc-type = id-type msp AttributeType
1912 mvc-maxCount = id-maxCount msp INTEGER
1913 id-maxCount = %x6D.61.78.43.6F.75.6E.74 ; "maxCount"
1914
1915 RestrictedValues = "{" sp RestrictedValue
1916 *( "," sp RestrictedValue ) sp "}"
1917 RestrictedValue = "{" sp rv-type ","
1918 sp rv-valuesin
1919 sp "}"
1920 rv-type = id-type msp AttributeType
1921 rv-valuesin = id-valuesin msp AttributeType
1922 id-valuesin = %x76.61.6C.75.65.73.69.6E ; "valuesin"
1923
1924 GrantsAndDenials = "{" [ sp grantOrDeny
1925 *( "," sp grantOrDeny ) ] sp "}"
1926 grantOrDeny = id-grantAdd
1927 / id-denyAdd
1928 / id-grantDiscloseOnError
1929 / id-denyDiscloseOnError
1930 / id-grantRead
1931 / id-denyRead
1932 / id-grantRemove
1933 / id-denyRemove
1934 / id-grantBrowse
1935 / id-denyBrowse
1936 / id-grantExport
1937 / id-denyExport
1938 / id-grantImport
1939 / id-denyImport
1940 / id-grantModify
1941 / id-denyModify
1942 / id-grantRename
1943 / id-denyRename
1944 / id-grantReturnDN
1945 / id-denyReturnDN
1946 / id-grantCompare
1947 / id-denyCompare
1948 / id-grantFilterMatch
1949 / id-denyFilterMatch
1950 ; grantInvoke omitted
1951 ; denyInvoke omitted
1952
1953 id-grantAdd = %x67.72.61.6E.74.41.64.64 ; "grantAdd"
1954
1955
1956
1957Legg Expires 16 December 2004 [Page 35]
1958�
1959INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
1960
1961
1962 id-denyAdd = %x64.65.6E.79.41.64.64 ; "denyAdd"
1963 id-grantBrowse = %x67.72.61.6E.74.42.72.6F.77.73.65
1964 ; "grantBrowse"
1965 id-denyBrowse = %x64.65.6E.79.42.72.6F.77.73.65 ; "denyBrowse"
1966 id-grantCompare = %x67.72.61.6E.74.43.6F.6D.70.61.72.65
1967 ; "grantCompare"
1968 id-denyCompare = %x64.65.6E.79.43.6F.6D.70.61.72.65
1969 ; "denyCompare"
1970
1971 id-grantDiscloseOnError = %x67.72.61.6E.74.44.69.73.63.6C.6F.73.65
1972 %x4F.6E.45.72.72.6F.72
1973 ; "grantDiscloseOnError"
1974 id-denyDiscloseOnError = %x64.65.6E.79.44.69.73.63.6C.6F.73.65.4F
1975 %x6E.45.72.72.6F.72
1976 ; "denyDiscloseOnError"
1977
1978 id-grantExport = %x67.72.61.6E.74.45.78.70.6F.72.74
1979 ; "grantExport"
1980 id-denyExport = %x64.65.6E.79.45.78.70.6F.72.74
1981 ; "denyExport"
1982 id-grantFilterMatch = %x67.72.61.6E.74.46.69.6C.74.65.72.4D.61.74
1983 %x63.68 ; "grantFilterMatch"
1984 id-denyFilterMatch = %x64.65.6E.79.46.69.6C.74.65.72.4D.61.74.63
1985 %x68 ; "denyFilterMatch"
1986 id-grantImport = %x67.72.61.6E.74.49.6D.70.6F.72.74
1987 ; "grantImport"
1988 id-denyImport = %x64.65.6E.79.49.6D.70.6F.72.74
1989 ; "denyImport"
1990 id-grantModify = %x67.72.61.6E.74.4D.6F.64.69.66.79
1991 ; "grantModify"
1992 id-denyModify = %x64.65.6E.79.4D.6F.64.69.66.79
1993 ; "denyModify"
1994 id-grantRead = %x67.72.61.6E.74.52.65.61.64 ; "grantRead"
1995 id-denyRead = %x64.65.6E.79.52.65.61.64 ; "denyRead"
1996 id-grantRemove = %x67.72.61.6E.74.52.65.6D.6F.76.65
1997 ; "grantRemove"
1998 id-denyRemove = %x64.65.6E.79.52.65.6D.6F.76.65
1999 ; "denyRemove"
2000 id-grantRename = %x67.72.61.6E.74.52.65.6E.61.6D.65
2001 ; "grantRename"
2002 id-denyRename = %x64.65.6E.79.52.65.6E.61.6D.65
2003 ; "denyRename"
2004 id-grantReturnDN = %x67.72.61.6E.74.52.65.74.75.72.6E.44.4E
2005 ; "grantReturnDN"
2006 id-denyReturnDN = %x64.65.6E.79.52.65.74.75.72.6E.44.4E
2007 ; "denyReturnDN"
2008
2009 The <sp>, <msp>, <sep>, <AttributeType>, <BIT-STRING>, <BOOLEAN>,
2010
2011
2012
2013Legg Expires 16 December 2004 [Page 36]
2014�
2015INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2016
2017
2018 <DirectoryString>, <DistinguishedName>, <EXTERNAL>, <INTEGER>,
2019 <INTEGER-0-MAX> and <NULL> rules are described in [GCE].
2020
2021 The <SubtreeSpecification> and <Refinement> rules are described in
2022 [SUBENTRY].
2023
2024 The <Value> rule is described in [GSER].
2025
2026 Filter = filter-item / filter-and / filter-or / filter-not
2027 filter-item = id-item ":" FilterItem
2028 filter-and = id-and ":" SetOfFilter
2029 filter-or = id-or ":" SetOfFilter
2030 filter-not = id-not ":" Filter
2031 id-and = %x61.6E.64 ; "and"
2032 id-item = %x69.74.65.6D ; "item"
2033 id-not = %x6E.6F.74 ; "not"
2034 id-or = %x6F.72 ; "or"
2035
2036 SetOfFilter = "{" [ sp Filter *( "," sp Filter ) ] sp "}"
2037
2038 FilterItem = fi-equality
2039 / fi-substrings
2040 / fi-greaterOrEqual
2041 / fi-lessOrEqual
2042 / fi-present
2043 / fi-approximateMatch
2044 / fi-extensibleMatch
2045 ; contextPresent omitted
2046
2047 fi-equality = id-equality ":" AttributeValueAssertion
2048 fi-substrings = id-substrings ":" SubstringsAssertion
2049 fi-greaterOrEqual = id-greaterOrEqual ":"
2050 AttributeValueAssertion
2051 fi-lessOrEqual = id-lessOrEqual ":" AttributeValueAssertion
2052 fi-present = id-present ":" AttributeType
2053 fi-approximateMatch = id-approximateMatch ":"
2054 AttributeValueAssertion
2055 fi-extensibleMatch = id-extensibleMatch ":" MatchingRuleAssertion
2056 id-equality = %x65.71.75.61.6C.69.74.79 ; "equality"
2057 id-substrings = %x73.75.62.73.74.72.69.6E.67.73
2058 ; "substrings"
2059 id-greaterOrEqual = %x67.72.65.61.74.65.72.4F.72.45.71.75.61.6C
2060 ; "greaterOrEqual"
2061 id-lessOrEqual = %x6C.65.73.73.4F.72.45.71.75.61.6C
2062 ; "lessOrEqual"
2063 id-present = %x70.72.65.73.65.6E.74 ; "present"
2064 id-approximateMatch = %x61.70.70.72.6F.78.69.6D.61.74.65.4D.61.74
2065 %x63.68 ; "approximateMatch"
2066
2067
2068
2069Legg Expires 16 December 2004 [Page 37]
2070�
2071INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2072
2073
2074 id-extensibleMatch = %x65.78.74.65.6E.73.69.62.6C.65.4D.61.74.63
2075 %x68 ; "extensibleMatch"
2076
2077 AttributeValueAssertion = "{" sp ava-type ","
2078 sp ava-assertion
2079 ; assertedContexts omitted
2080 sp "}"
2081
2082 ava-type = id-type msp AttributeType
2083 ava-assertion = id-assertion msp Value
2084 id-assertion = %x61.73.73.65.72.74.69.6F.6E ; "assertion"
2085
2086 SubstringsAssertion = "{" sp sa-type ","
2087 sp sa-strings
2088 sp "}"
2089
2090 sa-type = id-type msp AttributeType
2091 sa-strings = id-strings msp Substrings
2092 id-strings = %x73.74.72.69.6E.67.73 ; "strings"
2093
2094 Substrings = "{" [ sp Substring *( "," sp Substring ) ] sp "}"
2095 Substring = ss-initial
2096 / ss-any
2097 / ss-final
2098 ; control omitted
2099 ss-initial = id-initial ":" Value
2100 ss-any = id-any ":" Value
2101 ss-final = id-final ":" Value
2102 id-initial = %x69.6E.69.74.69.61.6C ; "initial"
2103 id-any = %x61.6E.79 ; "any"
2104 id-final = %x66.69.6E.61.6C ; "final"
2105
2106 MatchingRuleAssertion = "{" sp mra-matchingRule
2107 [ "," sp mra-type ]
2108 "," sp mra-matchValue
2109 [ "," sp mra-dnAttributes ]
2110 sp "}"
2111
2112 mra-matchingRule = id-matchingRule msp MatchingRuleIds
2113 mra-type = id-type msp AttributeType
2114 mra-matchValue = id-matchValue msp Value
2115 mra-dnAttributes = id-dnAttributes msp BOOLEAN
2116 id-matchingRule = %x6D.61.74.63.68.69.6E.67.52.75.6C.65
2117 ; "matchingRule"
2118 id-matchValue = %x6D.61.74.63.68.56.61.6C.75.65 ; "matchValue"
2119 id-dnAttributes = %x64.6E.41.74.74.72.69.62.75.74.65.73
2120 ; "dnAttributes"
2121
2122
2123
2124
2125Legg Expires 16 December 2004 [Page 38]
2126�
2127INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2128
2129
2130 MatchingRuleIds = "{" sp MatchingRuleId *( "," sp MatchingRuleId ) sp "}"
2131 MatchingRuleId = OBJECT-IDENTIFIER
2132
2133 The <OBJECT-IDENTIFIER> rule is described in [GCE].
2134
2135Normative References
2136
2137 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2138 Requirement Levels", BCP 14, RFC 2119, March 1997.
2139
2140 [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
2141 Access Protocol (v3)", RFC 2251, December 1997.
2142
2143 [RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
2144 "Lightweight Directory Access Protocol (v3): Attribute
2145 Syntax Definitions", RFC 2252, December 1997.
2146
2147 [RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use
2148 with LDAPv3", RFC 2256, December 1997.
2149
2150 [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
2151 Protocol (v3): Technical Specification", RFC 3377,
2152 September 2002.
2153
2154 [BCP64] Zeilenga, K., "Internet Assigned Numbers
2155 Authority (IANA) Considerations for the Lightweight
2156 Directory Access Protcol (LDAP)", BCP 64, RFC 3383,
2157 September 2002.
2158
2159 [GSER] Legg, S., "Generic String Encoding Rules for ASN.1 Types",
2160 RFC 3641, October 2003.
2161
2162 [COLLECT] Zeilenga, K., "Collective Attributes in the Lightweight
2163 Directory Access Protocol (LDAP)", RFC 3671, December
2164 2003.
2165
2166 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in the Lightweight
2167 Directory Access Protocol (LDAP)", RFC 3672, December
2168 2003.
2169
2170 [SCHEMA] Zeilenga, K., "Lightweight Directory Access Protocol
2171 (LDAP): Additional Matching Rules", RFC 3698, February
2172 2004.
2173
2174 [ADMIN] Legg, S., "Lightweight Directory Access Protocol (LDAP):
2175 Directory Administrative Model",
2176 draft-legg-ldap-admin-xx.txt, a work in progress, June
2177 2004.
2178
2179
2180
2181Legg Expires 16 December 2004 [Page 39]
2182�
2183INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2184
2185
2186 [ACA] Legg, S., "Lightweight Directory Access Protocol (LDAP):
2187 Access Control Administration",
2188 draft-legg-ldap-acm-admin-xx.txt, a work in progress, June
2189 2004.
2190
2191 [FILTER] Zeilenga, K., "LDAP Absolute True and False Filters",
2192 draft-zeilenga-ldap-t-f-xx.txt, a work in progress,
2193 February 2004.
2194
2195 [ASN1] ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1,
2196 Information technology - Abstract Syntax Notation One
2197 (ASN.1): Specification of basic notation
2198
2199Informative References
2200
2201 [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
2202 Specifications: ABNF", RFC 2234, November 1997.
2203
2204 [GCE] Legg, S., "Common Elements of Generic String Encoding
2205 Rules (GSER) Encodings", RFC 3642, October 2003.
2206
2207 [X501] ITU-T Recommendation X.501 (02/01) | ISO/IEC 9594-2:2001,
2208 Information technology - Open Systems Interconnection -
2209 The Directory: Models
2210
2211 [X511] ITU-T Recommendation X.511 (02/01) | ISO/IEC 9594-3:2001,
2212 Information technology - Open Systems Interconnection -
2213 The Directory: Abstract service definition
2214
2215Author's Address
2216
2217 Steven Legg
2218 Adacel Technologies Ltd.
2219 250 Bay Street
2220 Brighton, Victoria 3186
2221 AUSTRALIA
2222
2223 Phone: +61 3 8530 7710
2224 Fax: +61 3 8530 7888
2225 EMail: steven.legg@adacel.com.au
2226
2227Full Copyright Statement
2228
2229 Copyright (C) The Internet Society (2004). This document is subject
2230 to the rights, licenses and restrictions contained in BCP 78, and
2231 except as set forth therein, the authors retain all their rights.
2232
2233 This document and the information contained herein are provided on an
2234
2235
2236
2237Legg Expires 16 December 2004 [Page 40]
2238�
2239INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2240
2241
2242 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2243 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2244 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2245 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2246 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2247 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2248
2249Intellectual Property
2250
2251 The IETF takes no position regarding the validity or scope of any
2252 Intellectual Property Rights or other rights that might be claimed to
2253 pertain to the implementation or use of the technology described in
2254 this document or the extent to which any license under such rights
2255 might or might not be available; nor does it represent that it has
2256 made any independent effort to identify any such rights. Information
2257 on the procedures with respect to rights in RFC documents can be
2258 found in BCP 78 and BCP 79.
2259
2260 Copies of IPR disclosures made to the IETF Secretariat and any
2261 assurances of licenses to be made available, or the result of an
2262 attempt made to obtain a general license or permission for the use of
2263 such proprietary rights by implementers or users of this
2264 specification can be obtained from the IETF on-line IPR repository at
2265 http://www.ietf.org/ipr.
2266
2267 The IETF invites any interested party to bring to its attention any
2268 copyrights, patents or patent applications, or other proprietary
2269 rights that may cover technology that may be required to implement
2270 this standard. Please address the information to the IETF at
2271 ietf-ipr@ietf.org.
2272
2273Changes in Draft 01
2274
2275 The Internet draft draft-legg-ldap-acm-admin-00.txt has been split
2276 into two drafts, draft-legg-ldap-admin-00.txt and
2277 draft-legg-ldap-acm-admin-01.txt. Section 8 of
2278 draft-legg-ldapext-component-matching-06.txt has been extracted to
2279 become a separate Internet draft, draft-legg-ldap-gser-xx.txt. The
2280 references in this document have been updated accordingly.
2281
2282 The term "native LDAP encoding" has been replaced by the term
2283 "LDAP-specific encoding" to align with terminology anticipated to be
2284 used in the revision of RFC 2252.
2285
2286 Changes have been made to the Search Operation Decision Points
2287 (Section 3.4.3):
2288
2289 In 4) a), the assumed FilterMatch permission for a present match of
2290
2291
2292
2293Legg Expires 16 December 2004 [Page 41]
2294�
2295INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004
2296
2297
2298 the objectClass attribute has been removed. An LDAP search with a
2299 True filter [FILTER] is the best analogue of the DAP read operation.
2300 A True filter does not filter any attribute type and therefore does
2301 not require FilterMatch permissions to succeed.
2302
2303 In 5) b) and c), there is an additional requirement for Read
2304 permission for at least one attribute value before an attribute type
2305 can be returned in a search result. Without this change a search
2306 result could, in some circumstances, disclose the existence of
2307 particular hidden attribute values.
2308
2309Changes in Draft 02
2310
2311 RFC 3377 replaces RFC 2251 as the reference for LDAP.
2312
2313 An IANA Considerations section has been added.
2314
2315Changes in Draft 03
2316
2317 The document has been reformatted in line with current practice.
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349Legg Expires 16 December 2004 [Page 42]
2350�
2351
2352