1 2INTERNET-DRAFT S. Legg 3draft-legg-ldap-acm-bac-03.txt Adacel Technologies 4Intended Category: Standards Track June 16, 2004 5Updates: RFC 2252 6 7 8 Lightweight Directory Access Protocol (LDAP): 9 Basic and Simplified Access Control 10 11 Copyright (C) The Internet Society (2004). All Rights Reserved. 12 13 Status of this Memo 14 15 16 This document is an Internet-Draft and is in full conformance with 17 all provisions of Section 10 of RFC2026. 18 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as 22 Internet-Drafts. 23 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress". 28 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt 31 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 34 35 Distribution of this document is unlimited. Comments should be sent 36 to the author. 37 38 This Internet-Draft expires on 16 December 2004. 39 40 41Abstract 42 43 An access control scheme describes the means by which access to 44 directory information and potentially to access rights themselves may 45 be controlled. This document adapts the X.500 directory Basic Access 46 Control and Simplied Access Control schemes for use by the 47 Lightweight Directory Access Protocol. 48 49 50 51 52 53Legg Expires 16 December 2004 [Page 1] 54 55INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 56 57 58Table of Contents 59 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 3 62 3. Basic Access Control . . . . . . . . . . . . . . . . . . . . . 4 63 3.1. Permissions. . . . . . . . . . . . . . . . . . . . . . . 5 64 3.1.1. Read . . . . . . . . . . . . . . . . . . . . . . 5 65 3.1.2. Compare. . . . . . . . . . . . . . . . . . . . . 6 66 3.1.3. Browse . . . . . . . . . . . . . . . . . . . . . 6 67 3.1.4. ReturnDN . . . . . . . . . . . . . . . . . . . . 6 68 3.1.5. FilterMatch. . . . . . . . . . . . . . . . . . . 6 69 3.1.6. Modify . . . . . . . . . . . . . . . . . . . . . 6 70 3.1.7. Add. . . . . . . . . . . . . . . . . . . . . . . 6 71 3.1.8. Remove . . . . . . . . . . . . . . . . . . . . . 7 72 3.1.9. DiscloseOnError. . . . . . . . . . . . . . . . . 7 73 3.1.10. Rename . . . . . . . . . . . . . . . . . . . . . 7 74 3.1.11. Export . . . . . . . . . . . . . . . . . . . . . 7 75 3.1.12. Import . . . . . . . . . . . . . . . . . . . . . 8 76 3.1.13. Invoke . . . . . . . . . . . . . . . . . . . . . 8 77 3.2. Representation of Access Control Information . . . . . . 8 78 3.2.1. Identification Tag . . . . . . . . . . . . . . . 11 79 3.2.2. Precedence . . . . . . . . . . . . . . . . . . . 11 80 3.2.3. Authentication Level . . . . . . . . . . . . . . 11 81 3.2.4. itemFirst and userFirst Components . . . . . . . 12 82 3.2.5. Determining Group Membership . . . . . . . . . . 16 83 3.3. ACI Operational Attributes . . . . . . . . . . . . . . . 17 84 3.3.1. Prescriptive ACI . . . . . . . . . . . . . . . . 17 85 3.3.2. Entry ACI. . . . . . . . . . . . . . . . . . . . 17 86 3.3.3. Subentry ACI . . . . . . . . . . . . . . . . . . 18 87 3.3.4. Protecting the ACI . . . . . . . . . . . . . . . 18 88 3.4. Access Control Decision Points for LDAP Operations . . . 18 89 3.4.1. Common Elements of Procedure . . . . . . . . . . 19 90 3.4.1.1. Alias Dereferencing. . . . . . . . . . 19 91 3.4.1.2. Return of Names in Errors. . . . . . . 19 92 3.4.1.3. Non-disclosure of Entry Existence. . . 20 93 3.4.2. Compare Operation Decision Points. . . . . . . . 20 94 3.4.3. Search Operation Decision Points . . . . . . . . 20 95 3.4.4. Add Operation Decision Points. . . . . . . . . . 23 96 3.4.5. Delete Operation Decision Points . . . . . . . . 24 97 3.4.6. Modify Operation Decision Points . . . . . . . . 24 98 3.4.7. Modify DN Operation Decision Points. . . . . . . 25 99 3.5. Access Control Decision Function . . . . . . . . . . . . 26 100 3.5.1. Inputs . . . . . . . . . . . . . . . . . . . . . 26 101 3.5.2. Tuples . . . . . . . . . . . . . . . . . . . . . 26 102 3.5.3. Discarding Irrelevant Tuples . . . . . . . . . . 27 103 3.5.4. Highest Precedence and Specificity . . . . . . . 28 104 4. Simplified Access Control. . . . . . . . . . . . . . . . . . . 28 105 5. Security Considerations. . . . . . . . . . . . . . . . . . . . 29 106 107 108 109Legg Expires 16 December 2004 [Page 2] 110 111INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 112 113 114 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 29 115 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 29 116 Appendix A. LDAP Specific Encoding for the ACI Item Syntax . . . . 30 117 Normative References . . . . . . . . . . . . . . . . . . . . . . . 39 118 Informative References . . . . . . . . . . . . . . . . . . . . . . 40 119 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 40 120 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 40 121 1221. Introduction 123 124 An access control scheme describes the means by which access to 125 directory information and potentially to access rights themselves may 126 be controlled. Control of access to information means the prevention 127 of unauthorized detection, disclosure, or modification of that 128 information. The definition of an access control scheme in the 129 context of a Lightweight Directory Access Protocol (LDAP) [RFC3371] 130 directory includes methods to specify Access Control Information 131 (ACI), and to enforce access rights defined by that ACI. 132 133 This document adapts the X.500 Basic Access Control and Simplied 134 Access Control schemes [X501] for use in LDAP. Both schemes conform 135 to, and make use of, the access control administrative framework for 136 LDAP [ACA]. 137 138 Section 3 describes the Basic Access Control scheme and defines how 139 it applies to LDAP operations [RFC2251]. 140 141 Simplified Access Control is a functional subset of the Basic Access 142 Control scheme. This subset is described in Section 4. 143 144 As a matter of security policy, an implementation supporting Basic 145 Access Control or Simplified Access Control is permitted to grant or 146 deny any form of access to particular attributes (e.g., password 147 attributes) irrespective of access controls which may otherwise 148 apply. However, since such security policy has no standardized 149 representation, it cannot be propagated in replicated information. 150 151 This document is derived from, and duplicates substantial portions 152 of, Section 8 of X.501 [X501], and selected extracts from X.511 153 [X511]. 154 1552. Conventions 156 157 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 158 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 159 document are to be interpreted as described in BCP 14, RFC 2119 160 [RFC2119]. 161 162 163 164 165Legg Expires 16 December 2004 [Page 3] 166 167INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 168 169 170 Schema definitions are provided using LDAP description formats 171 [RFC2252]. Note that the LDAP descriptions have been rendered with 172 additional white-space and line breaks for the sake of readability. 173 1743. Basic Access Control 175 176 This section describes the functionality of the Basic Access Control 177 scheme. 178 179 When Basic Access Control is used, the accessControlScheme 180 operational attribute [ACA] SHALL have the value basic-access-control 181 (2.5.28.1). 182 183 This LDAP profile for Basic Access Control defines, for every LDAP 184 operation, one or more points at which access control decisions take 185 place. An access control decision will involve a requestor, 186 protected items, and permissions. 187 188 A requestor is the user requesting the operation. Basic Access 189 Control requires a user's authorization identity to be represented as 190 a distinguished name (with an optional unique identifier). The 191 mapping of the authentication identity to an authorization identity, 192 and the mapping of the authorization identity to a distinguished name 193 and optional unique identifier, are outside the scope of this 194 document. 195 196 A protected item is the element of directory information being 197 accessed. The protected items are entries, attributes, attribute 198 values and distinguished names. Access to each protected item can be 199 separately controlled through ACI. 200 201 A permission is a particular right necessary to complete a portion of 202 the operation. 203 204 The Access Control Information, which is used to make access control 205 decisions, associates protected items and user classes with 206 permissions. ACI is represented in the directory as values of 207 operational attributes with the ACI Item syntax [RFC2252]. Each such 208 value is referred to as an ACI item. 209 210 The scope of access controls can be a single entry or a collection of 211 entries that are logically related by being within the scope of an 212 access control subentry of an administrative point (see [ACA]). 213 214 The Access Control Decision Function (ACDF) (Section 3.5) is used to 215 decide whether a particular requestor has a particular access right 216 by virtue of applicable ACI items. 217 218 219 220 221Legg Expires 16 December 2004 [Page 4] 222 223INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 224 225 226 Access to DSEs and operational attributes is controlled in the same 227 way as for entries and user attributes. 228 229 For query purposes, collective attributes [COLLECT] that are 230 associated with an entry are protected precisely as if they were 231 attributes actually stored in that entry. 232 233 For the purposes of modification, collective attributes are 234 associated with the subentry that holds them, not with entries within 235 the scope of the subentry. Modify-related access controls are 236 therefore not relevant to collective attributes, except when they 237 apply to the collective attribute and its values within the subentry. 238 2393.1. Permissions 240 241 Access is controlled by granting or denying permissions. Access is 242 allowed only when there is an explicitly provided grant present in 243 the ACI used to make the access control decision. The only default 244 access decision provided in the model is to deny access in the 245 absence of explicit ACI that grants access. All other factors being 246 equal, a denial specified in ACI always overrides a grant. 247 248 Certain combinations of grants or denials are illogical, but it is 249 the responsibility of directory clients, rather than the directory 250 server, to ensure that such combinations are absent. 251 252 The decision whether or not to permit access to an entry or its 253 contents is strictly determined by the position of the entry in the 254 Directory Information Tree (DIT), in terms of its distinguished name, 255 and is independent of how the directory server locates that entry. 256 257 The following sections introduce the permissions by indicating the 258 intent associated with the granting of each. The actual influence of 259 a particular granted permission on access control decisions are, 260 however, determined by the ACDF and the access control decision 261 points for each LDAP operation, described in detail in Section 3.4. 262 2633.1.1. Read 264 265 If granted for an entry, Read permits the entry to be accessed using 266 LDAP Compare and baseObject Search operations, but does not imply 267 access to all the attributes and values. 268 269 If granted for an attribute type, Read permits the attribute type to 270 be returned as entry information in a Search result. Read or Browse 271 permission for the entry is a prerequisite. 272 273 If granted for an attribute value, Read permits the attribute value 274 275 276 277Legg Expires 16 December 2004 [Page 5] 278 279INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 280 281 282 to be returned as entry information in a Search result. Read or 283 Browse permission for the entry and Read permission for the attribute 284 type are prerequisites. 285 2863.1.2. Compare 287 288 If granted for an attribute type, Compare permits the attribute type 289 to be tested by the assertion in an LDAP Compare operation. Read 290 permission for the entry is a prerequisite. 291 292 If granted for an attribute value, Compare permits the value to be 293 tested by the assertion in an LDAP Compare operation. Read 294 permission for the entry and Compare permission for the attribute 295 type are prerequisites. 296 2973.1.3. Browse 298 299 If granted for an entry, Browse permits the entry to be accessed by 300 the LDAP Search operation, including baseObject searches, but does 301 not imply access to all the attributes and values. 302 3033.1.4. ReturnDN 304 305 If granted for an entry, ReturnDN allows the distinguished name of 306 the entry to be disclosed in a search result. 307 3083.1.5. FilterMatch 309 310 If granted for an attribute type, Filtermatch permits the attribute 311 type to satisfy a Filter item. 312 313 If granted for an attribute value, Filtermatch permits the attribute 314 value to satisfy a Filter item. FilterMatch permission for the 315 attribute type is a prerequisite. 316 3173.1.6. Modify 318 319 If granted for an entry, Modify permits the information contained 320 within an entry to be modified by the LDAP Modify operation, subject 321 to controls on the attribute types and values. 322 3233.1.7. Add 324 325 If granted for an entry, Add permits creation of an entry in the DIT, 326 subject to being able to add all specified attributes and attribute 327 values. Add permission granted for an entry is ineffective if Add 328 permission is not also granted for at least the mandatory attributes 329 and their values. There is no specific "add subordinate permission". 330 331 332 333Legg Expires 16 December 2004 [Page 6] 334 335INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 336 337 338 Permission to add an entry is controlled using prescriptive ACI. 339 340 If granted for an attribute type, Add permits adding a new attribute, 341 subject to being able to add all specified attribute values. Add or 342 Modify permission for the entry is a prerequisite. 343 344 If granted for an attribute value, Add permits adding that value to 345 an existing attribute. Add or Modify permission for the entry is a 346 prerequisite. 347 3483.1.8. Remove 349 350 If granted for an entry, Remove permits the entry to be removed from 351 the DIT regardless of controls on attributes or attribute values 352 within the entry. 353 354 If granted for an attribute, Remove permits removing an attribute, 355 subject to being able to remove any explicitly specified attribute 356 values. Remove permission for values not explicitly specified is not 357 required. 358 359 If granted for an attribute value, Remove permits the attribute value 360 to be removed from an existing attribute. 361 3623.1.9. DiscloseOnError 363 364 If granted for an entry, DiscloseOnError permits the name of an entry 365 to be disclosed in an error result. 366 367 If granted for an attribute, DiscloseOnError permits the presence of 368 the attribute to be disclosed by an error. 369 370 If granted for an attribute value, DiscloseOnError permits the 371 presence of the attribute value to be disclosed by an error. 372 3733.1.10. Rename 374 375 If granted for an entry, Rename permits an entry to be renamed with a 376 new RDN. No permissions are required for the attributes and values 377 altered by the operation, even if they are added or removed as a 378 result of the changes to the RDN. 379 3803.1.11. Export 381 382 If granted for an entry, Export permits the entry and its 383 subordinates, if any, to be removed from the current location and 384 placed in a new location, subject to the granting of Import 385 permission at the destination. 386 387 388 389Legg Expires 16 December 2004 [Page 7] 390 391INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 392 393 394 If the last RDN is changed, Rename permission at the current location 395 is also required 396 3973.1.12. Import 398 399 If granted for an entry, Import permits an entry and its 400 subordinates, if any, to be placed at the location to which the 401 permission applies, subject to the granting of Export permission at 402 the source location. 403 4043.1.13. Invoke 405 406 Invoke, if granted for an operational attribute, or value thereof, 407 permits the directory server to carry out some function associated 408 with the operational attribute on behalf of the user. The specific 409 function carried out by invocation depends on the attribute. No 410 other permissions are required by user for the operational attribute, 411 or on the entry/subentry that holds it, in order for it to be 412 "invoked". 413 4143.2. Representation of Access Control Information 415 416 Access Control Information is represented as a set of ACI items, 417 where each ACI item grants or denies permissions in regard to certain 418 specified users and protected items. 419 420 An ACI item is represented as a value of an operational attribute 421 with the ACI Item syntax (1.3.6.1.4.1.1466.115.121.1.1) [RFC2252]. 422 423 This document updates [RFC2252] by specifying a human-readable 424 LDAP-specific encoding for ACI items. The LDAP-specific encoding of 425 values of the ACI Item syntax is defined by the Generic String 426 Encoding Rules [GSER]. Appendix A provides an equivalent ABNF for 427 this syntax. 428 429 For convenience in specifying access control policies, the ACI Item 430 syntax provides the means to identify collections of related items, 431 such as attributes in an entry or all attribute values of a given 432 attribute, and to specify a common protection for them. 433 434 The ACI Item syntax corresponds to the ACIItem ASN.1 [ASN1] type 435 defined in X.501 [X501]. It is reproduced here for convenience: 436 437 ACIItem ::= SEQUENCE { 438 identificationTag DirectoryString { ub-tag }, 439 precedence Precedence, 440 authenticationLevel AuthenticationLevel, 441 itemOrUserFirst CHOICE { 442 443 444 445Legg Expires 16 December 2004 [Page 8] 446 447INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 448 449 450 itemFirst [0] SEQUENCE { 451 protectedItems ProtectedItems, 452 itemPermissions SET OF ItemPermission }, 453 userFirst [1] SEQUENCE { 454 userClasses UserClasses, 455 userPermissions SET OF UserPermission } } } 456 457 Precedence ::= INTEGER (0..255) 458 459 ProtectedItems ::= SEQUENCE { 460 entry [0] NULL OPTIONAL, 461 allUserAttributeTypes [1] NULL OPTIONAL, 462 attributeType [2] SET SIZE (1..MAX) OF 463 AttributeType OPTIONAL, 464 allAttributeValues [3] SET SIZE (1..MAX) OF 465 AttributeType OPTIONAL, 466 allUserAttributeTypesAndValues [4] NULL OPTIONAL, 467 attributeValue [5] SET SIZE (1..MAX) OF 468 AttributeTypeAndValue OPTIONAL, 469 selfValue [6] SET SIZE (1..MAX) OF 470 AttributeType OPTIONAL, 471 rangeOfValues [7] Filter OPTIONAL, 472 maxValueCount [8] SET SIZE (1..MAX) OF 473 MaxValueCount OPTIONAL, 474 maxImmSub [9] INTEGER OPTIONAL, 475 restrictedBy [10] SET SIZE (1..MAX) OF 476 RestrictedValue OPTIONAL, 477 contexts [11] SET SIZE (1..MAX) OF 478 ContextAssertion OPTIONAL, 479 classes [12] Refinement OPTIONAL } 480 481 MaxValueCount ::= SEQUENCE { 482 type AttributeType, 483 maxCount INTEGER } 484 485 RestrictedValue ::= SEQUENCE { 486 type AttributeType, 487 valuesIn AttributeType } 488 489 UserClasses ::= SEQUENCE { 490 allUsers [0] NULL OPTIONAL, 491 thisEntry [1] NULL OPTIONAL, 492 name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, 493 userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL, 494 -- dn component shall be the name of an 495 -- entry of GroupOfUniqueNames 496 subtree [4] SET SIZE (1..MAX) OF 497 SubtreeSpecification OPTIONAL } 498 499 500 501Legg Expires 16 December 2004 [Page 9] 502 503INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 504 505 506 NameAndOptionalUID ::= SEQUENCE { 507 dn DistinguishedName, 508 uid UniqueIdentifier OPTIONAL } 509 510 UniqueIdentifier ::= BIT STRING 511 512 ItemPermission ::= SEQUENCE { 513 precedence Precedence OPTIONAL, 514 -- defaults to precedence in ACIItem 515 userClasses UserClasses, 516 grantsAndDenials GrantsAndDenials } 517 518 UserPermission ::= SEQUENCE { 519 precedence Precedence OPTIONAL, 520 -- defaults to precedence in ACIItem 521 protectedItems ProtectedItems, 522 grantsAndDenials GrantsAndDenials } 523 524 AuthenticationLevel ::= CHOICE { 525 basicLevels SEQUENCE { 526 level ENUMERATED { none(0), simple(1), strong(2) }, 527 localQualifier INTEGER OPTIONAL, 528 signed BOOLEAN DEFAULT FALSE }, 529 other EXTERNAL } 530 531 GrantsAndDenials ::= BIT STRING { 532 -- permissions that may be used in conjunction 533 -- with any component of ProtectedItems 534 grantAdd (0), 535 denyAdd (1), 536 grantDiscloseOnError (2), 537 denyDiscloseOnError (3), 538 grantRead (4), 539 denyRead (5), 540 grantRemove (6), 541 denyRemove (7), 542 -- permissions that may be used only in conjunction 543 -- with the entry component 544 grantBrowse (8), 545 denyBrowse (9), 546 grantExport (10), 547 denyExport (11), 548 grantImport (12), 549 denyImport (13), 550 grantModify (14), 551 denyModify (15), 552 grantRename (16), 553 denyRename (17), 554 555 556 557Legg Expires 16 December 2004 [Page 10] 558 559INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 560 561 562 grantReturnDN (18), 563 denyReturnDN (19), 564 -- permissions that may be used in conjunction 565 -- with any component, except entry, of ProtectedItems 566 grantCompare (20), 567 denyCompare (21), 568 grantFilterMatch (22), 569 denyFilterMatch (23), 570 grantInvoke (24), 571 denyInvoke (25) } 572 573 AttributeTypeAndValue ::= SEQUENCE { 574 type ATTRIBUTE.&id ({SupportedAttributes}), 575 value ATTRIBUTE.&Type ({SupportedAttributes}{@type}) } 576 577 The SubtreeSpecification and Refinement ASN.1 types are defined in 578 X.501 [X501], and separately described for LDAP [SUBENTRY]. 579 580 The following sections describe the components of ACIItem. 581 5823.2.1. Identification Tag 583 584 identificationTag is used to identify a particular ACI item. This is 585 used to discriminate among individual ACI items for the purposes of 586 protection and administration. 587 5883.2.2. Precedence 589 590 Precedence is used to control the relative order in which ACI items 591 are considered during the course of making an access control decision 592 using the ACDF. ACI items having higher precedence values prevail 593 over others with lower precedence values, other factors being equal. 594 Precedence values are integers and are compared as such. 595 5963.2.3. Authentication Level 597 598 AuthenticationLevel defines the minimum requestor authentication 599 level required for this ACI item. It has two forms: 600 601 1) basicLevels: which indicates the level of authentication, 602 optionally qualified by positive or negative integer 603 localQualifier. 604 605 2) other: an externally defined measure. 606 607 When basicLevels is used, an AuthenticationLevel consisting of a 608 level and optional localQualifier SHALL be assigned to the requestor 609 by the directory server according to local policy. For a requestor's 610 611 612 613Legg Expires 16 December 2004 [Page 11] 614 615INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 616 617 618 authentication level to meet or exceed the minimum requirement, the 619 requestor's level must meet or exceed that specified in the ACI item, 620 and in addition the requestor's localQualifier must be arithmetically 621 greater than or equal to that of the ACI item. Strong authentication 622 of the requestor is considered to exceed a requirement for simple or 623 no authentication, and simple authentication exceeds a requirement 624 for no authentication. For access control purposes, the "simple" 625 authentication level requires at least a password; the case of 626 identification only, with no password supplied, is considered "none". 627 If a localQualifier is not specified in the ACI item, then the 628 requestor need not have a corresponding value (if such a value is 629 present it is ignored). 630 631 The signed component of basicLevels is ignored for LDAP. 632 633 When other is used, an appropriate AuthenticationLevel shall be 634 assigned to the requestor by the directory server according to local 635 policy. The form of this AuthenticationLevel and the method by which 636 it is compared with the AuthenticationLevel in the ACI is a local 637 matter. 638 639 An authentication level associated with an explicit grant indicates 640 the minimum level to which a requestor shall be authenticated in 641 order to be granted access. 642 643 An authentication level associated with an explicit deny indicates 644 the minimum level to which a requestor shall be authenticated in 645 order not to be denied access. For example, an ACI item that denies 646 access to a particular user class and requires strong authentication 647 will deny access to all requestors who cannot prove, by means of a 648 strongly authenticated identity, that they are not in that user 649 class. 650 651 The directory server may base authentication level on factors other 652 than values received in protocol exchanges. 653 6543.2.4. itemFirst and userFirst Components 655 656 Each ACI item contains a choice of itemFirst or userFirst. The 657 choice allows grouping of permissions depending on whether they are 658 most conveniently grouped by user classes or by protected items. The 659 itemFirst and userFirst components are equivalent in the sense that 660 they capture the same access control information; however, they 661 organize that information differently. The choice between them is 662 based on administrative convenience. The subcomponents of itemFirst 663 and userFirst are described below. 664 665 a) ProtectedItems defines the items to which the specified access 666 667 668 669Legg Expires 16 December 2004 [Page 12] 670 671INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 672 673 674 controls apply. It is defined as a set selected from the 675 following: 676 677 - entry means the entry contents as a whole. It does not 678 necessarily include the information in these entries. This 679 element SHALL be ignored if the classes component is present, 680 since this latter element selects protected entries on the basis 681 of their object class. 682 683 - allUserAttributeTypes means all user attribute type information 684 associated with the entry, but not values associated with those 685 attributes. 686 687 - allUserAttributeTypesAndValues means all user attribute 688 information associated with the entry, including all values of 689 all user attributes. 690 691 The allUserAttributeTypes and allUserAttributeTypesAndValues 692 components do not include operational attributes, which MUST be 693 specified on a per attribute basis, using attributeType, 694 allAttributeValues or attributeValue. 695 696 - attributeType means attribute type information pertaining to 697 specific attributes but not values associated with the type. 698 699 - allAttributeValues means all attribute value information 700 pertaining to specific attributes. 701 702 - attributeValue means specific values of specific attribute 703 types. 704 705 - selfValue means the attribute values of the specified attribute 706 types that match the distinguished name (and unique identifier) 707 of the requestor. It can only apply in the specific case where 708 the attribute specified is of DN syntax 709 (1.3.6.1.4.1.1466.115.121.1.12) or Name And Optional UID syntax 710 (1.3.6.1.4.1.1466.115.121.1.34) [RFC2252]. 711 712 - rangeOfValues means any attribute value which matches the 713 specified filter, i.e., for which the specified filter evaluated 714 on that attribute value would return TRUE. The filter is not 715 evaluated on any entries in the DIB, rather it is evaluated 716 using the semantics defined in 7.8 of [X511], operating on a 717 fictitious entry that contains only the single attribute value 718 which is the protected item. Note that the filter is an X.500 719 search Filter. It has a different syntax from the LDAP search 720 Filter, but the same semantics. 721 722 723 724 725Legg Expires 16 December 2004 [Page 13] 726 727INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 728 729 730 The following items provide constraints that may disable the 731 granting of certain permissions to protected items in the same 732 value of ProtectedItems: 733 734 - maxValueCount restricts the maximum number of attribute values 735 allowed for a specified attribute type. It is examined if the 736 protected item is an attribute value of the specified type and 737 the permission sought is Add. Values of that attribute in the 738 entry are counted, without regard to attribute options and 739 access control, as though the operation which is attempting to 740 add the values is successful. If the number of values in the 741 attribute exceeds maxCount, the ACI item is treated as not 742 granting Add permission. 743 744 - maxImmSub restricts the maximum number of immediate subordinates 745 of the superior entry to an entry being added or imported. It 746 is examined if the protected item is an entry, the permission 747 sought is Add or Import, and the immediate superior entry is in 748 the same server as the entry being added or imported. Immediate 749 subordinates of the superior entry are counted, without regard 750 to access control, as though the entry addition or importing is 751 successful. If the number of subordinates exceeds maxImmSub, 752 the ACI item is treated as not granting Add or Import 753 permission. 754 755 - restrictedBy restricts values added to the attribute type to 756 being values that are already present in the same entry as 757 values of the attribute identified by the valuesIn component. 758 It is examined if the protected item is an attribute value of 759 the specified type and the permission sought is Add. Values of 760 the valuesIn attribute are checked, without regard to attribute 761 options and access control, as though the operation which adds 762 the values is successful. If the value to be added is not 763 present in valuesIn the ACI item is treated as not granting Add 764 permission. 765 766 - contexts is not used in this version of the LDAP profile for 767 Basic Access Control. 768 769 - classes means the contents of entries that have object class 770 values that satisfy the predicate defined by Refinement (see 771 [SUBENTRY]). 772 773 b) UserClasses defines a set of zero or more users the permissions 774 apply to. The set of users is selected from the following: 775 776 - allUsers means every directory user (with possible requirements 777 for AuthenticationLevel). 778 779 780 781Legg Expires 16 December 2004 [Page 14] 782 783INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 784 785 786 - thisEntry means the user with the same distinguished name as the 787 entry being accessed. 788 789 - name is the set of users with the specified distinguished names 790 (each with an optional unique identifier). 791 792 - userGroup is the set of users who are members of the groups 793 (i.e., groupOfNames or groupOfUniqueNames entries [RFC2256]) 794 identified by the specified distinguished names (each with an 795 optional unique identifier). Members of a group of unique names 796 are treated as individual user distinguished names, and not as 797 the names of other groups of unique names. How group membership 798 is determined is described in 5.2.5. 799 800 - subtree is the set of users whose distinguished names fall 801 within the scope of the unrefined subtrees (specificationFilter 802 components SHOULD NOT be used - they SHALL be ignored if 803 present). 804 805 c) SubtreeSpecification is used to specify a subtree relative to the 806 root DSE, and is not constrained by administrative areas. The 807 specificationFilter component SHOULD NOT be used. It SHALL be 808 ignored if present. 809 810 A subtree refinement is not allowed because membership in a 811 subtree whose specification includes only base and/or a 812 ChopSpecification can be evaluated in isolation, whereas 813 membership in a subtree definition using specificationFilter can 814 only be evaluated by obtaining information from the user's entry, 815 which is potentially in another directory server. Basic Access 816 Control is designed to avoid remote operations in the course of 817 making an access control decision. 818 819 d) ItemPermission contains a collection of users and their 820 permissions with respect to ProtectedItems within an itemFirst 821 specification. The permissions are specified in grantsAndDenials 822 as discussed in item f). Each of the permissions specified in 823 grantsAndDenials is considered to have the precedence level 824 specified in precedence for the purpose of the ACDF. If 825 precedence is omitted within ItemPermission, then precedence is 826 taken from the precedence specified for ACIItem. 827 828 e) UserPermission contains a collection of protected items and the 829 associated permissions with respect to userClasses within a 830 userFirst specification. The associated permissions are specified 831 in grantsAndDenials as discussed in item f). Each of the 832 permissions specified in grantsAndDenials is considered to have 833 the precedence level specified in precedence for the purpose of 834 835 836 837Legg Expires 16 December 2004 [Page 15] 838 839INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 840 841 842 the ACDF. If precedence is omitted within UserPermission, the 843 precedence is taken from the precedence specified for ACIItem. 844 845 f) GrantsAndDenials specify the access rights that are granted or 846 denied by the ACI item. 847 848 g) UniqueIdentifier may be used by the authentication mechanism to 849 distinguish between instances of distinguished name reuse. If 850 this component is present, then for a requestor's name to match 851 the UserClasses of an ACIItem that grants permissions, in addition 852 to the requirement that the requestor's distinguished name match 853 the specified distinguished name, the authentication of the 854 requestor shall yield an associated unique identifier, and that 855 value shall match for equality with the specified value. 856 8573.2.5. Determining Group Membership 858 859 Determining whether a given requestor is a group member requires 860 checking two criteria. The determination may also be constrained if 861 the group definition is not known locally. The criteria for 862 membership and the treatment of non-local groups are discussed below. 863 864 a) A directory server is not required to perform a remote operation 865 to determine whether the requestor belongs to a particular group 866 for the purposes of Basic Access Control. If membership in the 867 group cannot be evaluated, the server shall assume that the 868 requestor does not belong to the group if the ACI item grants the 869 permission sought, and does belong to the group if it denies the 870 permission sought. 871 872 Access control administrators should beware of basing access 873 controls on membership of non-locally available groups or groups 874 which are available only through replication (and which may, 875 therefore, be out of date). 876 877 b) In order to determine whether the requestor is a member of a 878 userGroup user class, the following criteria apply: 879 880 - The entry named by the userGroup specification is an instance of 881 the object class groupOfNames or groupOfUniqueNames. 882 883 - The name of the requestor is a value of the member or 884 uniqueMember attribute of that entry. 885 886 Values of the member or uniqueMember attribute that do not match 887 the name of the requestor are ignored, even if they represent the 888 names of groups of which the originator could be found to be a 889 member. Hence, nested groups are not supported when evaluating 890 891 892 893Legg Expires 16 December 2004 [Page 16] 894 895INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 896 897 898 access controls. 899 9003.3. ACI Operational Attributes 901 902 ACI is stored as values of operational attributes of entries and 903 subentries. The operational attributes are multi-valued, which 904 allows ACI to be represented as a set of ACI items. 905 9063.3.1. Prescriptive ACI 907 908 The prescriptiveACI attribute is defined as an operational attribute 909 of an access control subentry. It contains prescriptive ACI 910 applicable to entries within that subentry's scope. 911 912 The LDAP description [RFC2252] for the prescriptiveACI operational 913 attribute is: 914 915 ( 2.5.24.4 NAME 'prescriptiveACI' 916 EQUALITY directoryStringFirstComponentMatch 917 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 918 USAGE directoryOperation ) 919 920 The directoryStringFirstComponentMatch matching rule is described in 921 [SCHEMA]. 922 923 Prescriptive ACI within the subentries of a particular administrative 924 point never applies to the same or any other subentry of that 925 administrative point, but can be applicable to the subentries of 926 subordinate administrative points. 927 928 Note that prescriptiveACI attributes are not collective attributes. 929 Although the values of a prescriptiveACI attribute contribute to 930 access control decisions for each entry within the scope of the 931 subentry that holds the attribute, the prescriptiveACI attribute does 932 not appear as part of those entries. 933 9343.3.2. Entry ACI 935 936 The entryACI attribute is defined as an operational attribute of an 937 entry or subentry (not just access control subentries). It contains 938 entry ACI applicable to the entry or subentry in which it appears, 939 and that (sub)entry's contents. 940 941 The LDAP description [RFC2252] for the entryACI operational attribute 942 is: 943 944 ( 2.5.24.5 NAME 'entryACI' 945 EQUALITY directoryStringFirstComponentMatch 946 947 948 949Legg Expires 16 December 2004 [Page 17] 950 951INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 952 953 954 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 955 USAGE directoryOperation ) 956 9573.3.3. Subentry ACI 958 959 The subentryACI attribute is defined as an operational attribute of 960 administrative entries [ADMIN] (for any aspect of administration). 961 It contains subentry ACI that applies to each of the subentries of 962 the administrative entry in which it appears. Only administrative 963 entries are permitted to contain a subentryACI attribute. 964 965 The LDAP description [RFC2252] for the subentryACI operational 966 attribute is: 967 968 ( 2.5.24.6 NAME 'subentryACI' 969 EQUALITY directoryStringFirstComponentMatch 970 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 971 USAGE directoryOperation ) 972 9733.3.4. Protecting the ACI 974 975 ACI operational attributes are subject to the same protection 976 mechanisms as other attributes. 977 978 The identificationTag provides an identifier for each ACI item. This 979 tag can be used to remove a specific ACI item value, or to protect it 980 by prescriptive ACI, entry ACI or subentry ACI. Directory rules 981 ensure that only one ACI item per access control operational 982 attribute possesses any specific identificationTag value. 983 984 The creation of subentries for an administrative entry may be 985 controlled by means of the subentryACI operational attribute in the 986 administrative entry. The right to create prescriptive access 987 controls may also be governed directly by security policy; this 988 provision is required to create access controls in new autonomous 989 administrative areas [ADMIN]. 990 9913.4. Access Control Decision Points for LDAP Operations 992 993 Each LDAP operation involves making a series of access control 994 decisions on the various protected items that the operation accesses. 995 996 For some operations (e.g., the Modify operation), each such access 997 control decision must grant access for the operation to succeed; if 998 access is denied to any protected item, the whole operation fails. 999 For other operations (e.g., the Search operation), protected items to 1000 which access is denied are simply omitted from the operation result 1001 and processing continues. 1002 1003 1004 1005Legg Expires 16 December 2004 [Page 18] 1006 1007INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1008 1009 1010 If the requested access is denied, further access control decisions 1011 may be needed to determine if the user has DiscloseOnError 1012 permissions to the protected item. Only if DiscloseOnError 1013 permission is granted may the server respond with an error that 1014 reveals the existence of the protected item. In all other cases, the 1015 server MUST act so as to conceal the existence of the protected item. 1016 1017 The permissions required to access each protected item, are specified 1018 for each operation in the following sections. The algorithm by which 1019 a permission is determined to be granted or not granted is specified 1020 in Section 3.5. 1021 10223.4.1. Common Elements of Procedure 1023 1024 This section defines the elements of procedure that are common to all 1025 LDAP operations when Basic Access Control is in effect. 1026 10273.4.1.1. Alias Dereferencing 1028 1029 If, in the process of locating a target object entry (nominated in an 1030 LDAP request), alias dereferencing is required, no specific 1031 permissions are necessary for alias dereferencing to take place. 1032 However, if alias dereferencing would result in a referral being 1033 returned, the following sequence of access controls applies. 1034 1035 1) Read permission is required to the alias entry. If permission is 1036 not granted, the operation fails in accordance to the procedure 1037 described in 5.4.1.3. 1038 1039 2) Read permission is required to the aliasedEntryName attribute and 1040 to the single value that it contains. If permission is not 1041 granted, the operation fails and the resultCode 1042 aliasDereferencingProblem SHALL be returned. The matchedDN field 1043 of the LDAPResult SHALL contain the name of the alias entry. 1044 1045 In addition to the access controls described above, security policy 1046 may prevent the disclosure of knowledge of other servers which would 1047 otherwise be conveyed in a referral. If such a policy is in effect 1048 the resultCode insufficientAccessRights SHALL be returned. 1049 10503.4.1.2. Return of Names in Errors 1051 1052 Certain LDAP result codes, i.e., noSuchObject, aliasProblem, 1053 invalidDNSyntax and aliasDereferencingProblem, provide the name of an 1054 entry in the matchedDN field of an LDAPResult. The DN of an entry 1055 SHALL only be provided in the matchedDN field if DiscloseOnError 1056 permission is granted to that entry, otherwise, the matchedDN field 1057 of the LDAPResult SHALL either contain the name of the next superior 1058 1059 1060 1061Legg Expires 16 December 2004 [Page 19] 1062 1063INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1064 1065 1066 entry to which DiscloseOnError permission is granted, or, if 1067 DiscloseOnError permission is not granted to any superior entry, the 1068 name of the root DSE (i.e., a zero-length LDAPDN). 1069 10703.4.1.3. Non-disclosure of Entry Existence 1071 1072 If, while performing an LDAP operation, the necessary entry level 1073 permission is not granted to the specified target object entry - 1074 e.g., the entry to be modified - the operation fails; if 1075 DiscloseOnError permission is granted to the target entry, the 1076 resultCode insufficientAccessRights SHALL be returned, otherwise, the 1077 resultCode noSuchObject SHALL be returned. The matchedDN field of 1078 the LDAPResult SHALL either contain the name of the next superior 1079 entry to which DiscloseOnError permission is granted, or, if 1080 DiscloseOnError permission is not granted to any superior entry, the 1081 name of the root DSE (i.e., a zero-length LDAPDN). 1082 1083 Additionally, whenever the server detects an operational error 1084 (including a referral resultCode), it shall ensure that in returning 1085 that error it does not compromise the existence of the named target 1086 entry and any of its superiors. For example, before returning a 1087 resultCode of timeLimitExceeded or notAllowedOnNonLeaf, the server 1088 verifies that DiscloseOnError permission is granted to the target 1089 entry. If it is not, the procedure described in the paragraph above 1090 SHALL be followed. 1091 10923.4.2. Compare Operation Decision Points 1093 1094 The following sequence of access controls applies for an entry being 1095 compared. 1096 1097 1) Read permission for the entry to be compared is required. If 1098 permission is not granted, the operation fails in accordance with 1099 5.4.1.3. 1100 1101 2) Compare permission for the attribute to be compared is required. 1102 If permission is not granted, the operation fails: if 1103 DiscloseOnError permission is granted to the attribute being 1104 compared, a resultCode of insufficientAccessRight SHALL be 1105 returned, otherwise, the resultCode noSuchAttribute SHALL be 1106 returned. 1107 1108 3) If there exists a value within the attribute being compared that 1109 matches the purported argument and for which Compare permission is 1110 granted, the operation returns the resultCode compareTrue, 1111 otherwise the operation returns the resultCode compareFalse. 1112 11133.4.3. Search Operation Decision Points 1114 1115 1116 1117Legg Expires 16 December 2004 [Page 20] 1118 1119INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1120 1121 1122 The following sequence of access controls applies for a portion of 1123 the DIT being searched. 1124 1125 1) No specific permission is required to the entry identified by the 1126 baseObject argument in order to initiate a search. However, if 1127 the baseObject is within the scope of the SearchArgument (i.e., 1128 when the subset argument specifies baseObject or wholeSubtree) the 1129 access controls specified in 2) through 5) will apply. 1130 1131 2) Browse or Read permission is required for the single entry within 1132 the scope of a baseObject search. An entry for which neither of 1133 these permissions is granted is ignored. 1134 1135 This differs from the X.500 DAP Search operation where the Browse 1136 permission alone is required. An entry with Read permission but 1137 not Browse permission cannot be searched but can still be examined 1138 with an X.500 DAP Read operation. LDAP relies on baseObject 1139 search operations to provide the functionality of the DAP Read 1140 operation. Accepting Read permission for the target entry in a 1141 baseObject search gives an LDAP baseObject search the same access 1142 rights to the entry as the DAP Read operation. 1143 1144 3) Browse permission is required for an entry within the scope of a 1145 singleLevel or wholeSubtree search to be a candidate for 1146 consideration. Entries for which this permission is not granted 1147 are ignored. 1148 1149 4) The filter argument is applied to each entry left to be considered 1150 after taking 2) and 3) into account, in accordance with the 1151 following: 1152 1153 a) For a present Filter item, if there exists an attribute value 1154 such that the attribute type of the value (possibly a subtype 1155 of the attribute type in the FilterItem) satisfies the Filter 1156 item and FilterMatch permission is granted for the value and 1157 for the attribute type then the FilterItem evaluates to TRUE, 1158 otherwise, it evaluates to FALSE. 1159 1160 If a directory server does not support True/False filters 1161 [FILTER] on LDAP searches, or if directory clients do not 1162 exploit this capability, then access control administrators 1163 SHOULD grant FilterMatch permission for the objectClass 1164 attribute over entries where Read permission is also granted so 1165 that an LDAP baseObject search with a filter testing for the 1166 presence of the objectClass attribute will have the same access 1167 rights to the target entry as the DAP Read operation. An LDAP 1168 baseObject search with a True filter does not require 1169 FilterMatch permission for any particular attribute type. 1170 1171 1172 1173Legg Expires 16 December 2004 [Page 21] 1174 1175INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1176 1177 1178 b) For an equalityMatch, substrings, greaterOrEqual, lessOrEqual, 1179 approxMatch or extensibleMatch Filter item, if there exists an 1180 attribute value such that the value satisfies the Filter item 1181 and FilterMatch permission is granted for the value and for its 1182 attribute type (possibly a subtype of the attribute type in the 1183 FilterItem) then the FilterItem evaluates to TRUE, otherwise, 1184 it evaluates to FALSE. 1185 1186 Once the access controls defined in 2) through 4) have been applied, 1187 an entry is either selected or discarded. 1188 1189 5) For each selected entry the information returned is as follows: 1190 1191 a) ReturnDN permission for an entry is required in order to return 1192 its distinguished name in a SearchResultEntry response. If 1193 this permission is not granted, the server SHALL either, return 1194 the name of a valid alias to the entry, or, omit the entry from 1195 the search result. 1196 1197 If the base entry of the search was located using an alias, 1198 then that alias is known to be a valid alias. Otherwise, how 1199 it is ensured that the alias is valid is outside the scope of 1200 this specification. 1201 1202 Where a server has a choice of alias names available to it for 1203 return, it is RECOMMENDED that where possible it choose the 1204 same alias name for repeated requests by the same client, in 1205 order to provide a consistent service. 1206 1207 b) If the typesOnly field of the SearchRequest is TRUE then, for 1208 each attribute type that is to be returned, Read permission for 1209 the attribute type and Read permission for at least one value 1210 of the attribute is required. If permission is not granted, 1211 the attribute type is omitted from the attribute list in the 1212 SearchResultEntry. If as a consequence of applying these 1213 controls no attribute type information is selected, the 1214 SearchResultEntry is returned but no attribute type information 1215 is conveyed with it (i.e., the attribute list is empty). 1216 1217 c) If the typesOnly field of the SearchRequest is FALSE then Read 1218 permission is required for each attribute type and for each 1219 attribute value that is to be returned. If permission to an 1220 attribute type is not granted, the attribute is omitted from 1221 the SearchResultEntry. If permission to an attribute value is 1222 not granted, the value is omitted from its corresponding 1223 attribute. If all values of an attribute are omitted then the 1224 attribute type is omitted from the attribute list in the 1225 SearchResultEntry. If as a consequence of applying these 1226 1227 1228 1229Legg Expires 16 December 2004 [Page 22] 1230 1231INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1232 1233 1234 controls no attribute information is selected, the 1235 SearchResultEntry is returned but no attribute information is 1236 conveyed with it (i.e., the attribute list is empty). 1237 1238 6) If as a consequence of applying the above controls to the entire 1239 scoped subtree the search result contains no entries (excluding 1240 any SearchResultReferences) and if DiscloseOnError permission is 1241 not granted to the entry identified by the baseObject argument, 1242 the operation fails and the resultCode noSuchObject SHALL be 1243 returned. The matchedDN field of the LDAPResult SHALL either 1244 contain the name of the next superior entry to which 1245 DiscloseOnError permission is granted, or the name of the root DSE 1246 (i.e., a zero-length LDAPDN). Otherwise, the operation succeeds 1247 but no subordinate information is conveyed with it. 1248 1249 Security policy may prevent the disclosure of knowledge of other 1250 servers which would otherwise be conveyed as SearchResultReferences. 1251 If such a policy is in effect SearchResultReferences are omitted from 1252 the search result. 1253 1254 No specific permissions are necessary to allow alias dereferencing to 1255 take place in the course of a search operation. However, for each 1256 alias entry encountered, if alias dereferencing would result in a 1257 SearchResultReference being returned, the following access controls 1258 apply: Read permission is required to the alias entry, the 1259 aliasedEntryName attribute and to the single value that it contains. 1260 If any of these permissions is not granted, the SearchResultReference 1261 SHALL be omitted from the search result. 1262 12633.4.4. Add Operation Decision Points 1264 1265 The following sequence of access controls apply for an entry being 1266 added. 1267 1268 1) No specific permission is required for the immediate superior of 1269 the entry identified by the entry field of the AddRequest. 1270 1271 2) If an entry already exists with a distinguished name equal to the 1272 entry field the operation fails; if DiscloseOnError or Add 1273 permission is granted to the existing entry, the resultCode 1274 entryAlreadyExists SHALL be returned, otherwise, the procedure 1275 described in 5.4.1.3 is followed with respect to the entry being 1276 added. 1277 1278 3) Add permission is required for the new entry being added. If this 1279 permission is not granted, the operation fails; the procedure 1280 described in 5.4.1.3 is followed with respect to the entry being 1281 added. 1282 1283 1284 1285Legg Expires 16 December 2004 [Page 23] 1286 1287INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1288 1289 1290 The Add permission is provided as prescriptive ACI when attempting 1291 to add an entry and as prescriptive ACI or subentry ACI when 1292 attempting to add a subentry. Any values of the entryACI 1293 attribute in the entry being added SHALL be ignored. 1294 1295 4) Add permission is required for each attribute type and for each 1296 value that is to be added. If any permission is absent, the 1297 operation fails and the resultCode insufficientAccessRights SHALL 1298 be returned. 1299 13003.4.5. Delete Operation Decision Points 1301 1302 The following sequence of access controls apply for an entry being 1303 removed. 1304 1305 1) Remove permission is required for the entry being removed. If 1306 this permission is not granted, the operation fails in accordance 1307 with 5.4.1.3. 1308 1309 2) No specific permissions are required for any of the attributes and 1310 attribute values present within the entry being removed. 1311 13123.4.6. Modify Operation Decision Points 1313 1314 The following sequence of access controls apply for an entry being 1315 modified. 1316 1317 1) Modify permission is required for the entry being modified. If 1318 this permission is not granted, the operation fails in accordance 1319 with 5.4.1.3. 1320 1321 2) For each of the specified modification arguments applied in 1322 sequence, the following permissions are required: 1323 1324 a) Add permission is required for each of the attribute values 1325 specified in an add modification. If the attribute does not 1326 currently exist then Add permission for the attribute type is 1327 also required. If these permissions are not granted, or any of 1328 the attribute values already exist, the operation fails; if an 1329 attribute value already exists and DiscloseOnError or Add is 1330 granted to that attribute value, the resultCode 1331 attributeOrValueExists SHALL be returned, otherwise, the 1332 resultCode insufficientAccessRights SHALL be returned. 1333 1334 b) Remove permission is required for the attribute type specified 1335 in a delete modification with no listed attribute values. If 1336 this permission is not granted, the operation fails; if 1337 DiscloseOnError permission is granted to the attribute being 1338 1339 1340 1341Legg Expires 16 December 2004 [Page 24] 1342 1343INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1344 1345 1346 removed and the attribute exists, the resultCode 1347 insufficientAccessRights SHALL be returned, otherwise, the 1348 resultCode noSuchAttribute SHALL be returned. 1349 1350 No specific permissions are required for any of the attribute 1351 values present within the attribute being removed. 1352 1353 c) Remove permission is required for each of the values in a 1354 delete modification with listed attribute values. If all 1355 current values of the attribute are specified to be removed 1356 (which causes the attribute itself to be removed), then Remove 1357 permission for the attribute type is also required. If these 1358 permissions are not granted, the operation fails; if 1359 DiscloseOnError permission is granted to any of the attribute 1360 values being removed, the resultCode insufficientAccessRights 1361 SHALL be returned, otherwise, the resultCode noSuchAttribute 1362 SHALL be returned. 1363 1364 d) Remove and Add permission is required for the attribute type, 1365 and Add permission is required for each of the specified 1366 attribute values, in a replace modification. If these 1367 permissions are not granted the operation fails and the 1368 resultCode insufficientAccessRights SHALL be returned. 1369 1370 No specific permissions are required to remove any existing 1371 attribute values of the attribute being replaced. 1372 13733.4.7. Modify DN Operation Decision Points 1374 1375 The following sequence of access controls apply for an entry having 1376 its DN modified. 1377 1378 1) If the effect of the operation is to change the RDN of the entry 1379 then Rename permission (determined with respect to its original 1380 name) is required for the entry. If this permission is not 1381 granted, the operation fails; the procedure described in 5.4.1.3 1382 is followed with respect to the entry being renamed (considered 1383 with its original name). 1384 1385 No additional permissions are required even if, as a result of 1386 modifying the RDN of the entry, a new distinguished value needs to 1387 be added, or an old one removed. No specific permissions are 1388 required for the subordinates of the renamed entry. 1389 1390 2) If the effect of the operation is to move an entry to a new 1391 superior in the DIT then Export permission (determined with 1392 respect to its original name) and Import permission (determined 1393 with respect to its new name) are required for the entry. If 1394 1395 1396 1397Legg Expires 16 December 2004 [Page 25] 1398 1399INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1400 1401 1402 either of these permissions is not granted, the operation fails; 1403 the procedure described in 5.4.1.3 is followed with respect to the 1404 entry being moved (considered with its original name). 1405 1406 The Import permission is provided as prescriptive ACI when 1407 attempting to move an entry and as prescriptive ACI or subentry 1408 ACI when attempting to move a subentry. Any values of the 1409 entryACI attribute in the entry or subentry being moved SHALL be 1410 ignored. 1411 1412 No specific permissions are required for the subordinates of the 1413 moved entry. 1414 1415 Note that a single Modify DN Operation may simultaneously rename and 1416 move an entry. 1417 14183.5. Access Control Decision Function 1419 1420 This section describes how ACI items are processed in order to decide 1421 whether to grant or deny a particular requestor a specified 1422 permission to a given protected item. 1423 1424 Section 3.5.1 describes the inputs to the ACDF. Sections 3.5.2 1425 through 3.5.4 describe the steps in the ACDF. The output is a 1426 decision to grant or deny access to the protected item. 1427 14283.5.1. Inputs 1429 1430 For each invocation of the ACDF, the inputs are: 1431 1432 a) the requestor's Distinguished Name, unique identifier, and 1433 authentication level, or as many of these as are available; 1434 1435 b) the protected item (an entry, an attribute, or an attribute value) 1436 being considered at the current decision point for which the ACDF 1437 was invoked; 1438 1439 c) the requested permission specified for the current decision point; 1440 1441 d) the ACI items applicable to the entry containing (or which is) the 1442 protected item. 1443 1444 In addition, if the ACI items include any of the protected item 1445 constraints described in 5.2.1.4, the whole entry and the number of 1446 immediate subordinates of its superior entry may also be required as 1447 inputs. 1448 14493.5.2. Tuples 1450 1451 1452 1453Legg Expires 16 December 2004 [Page 26] 1454 1455INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1456 1457 1458 For each ACI item, expand the item into a set of tuples, one tuple 1459 for each element of the itemPermissions and userPermissions sets, 1460 containing the following elements: 1461 1462 ( userClasses, authenticationLevel, protectedItems, 1463 grantsAndDenials, precedence ) 1464 1465 Collect all tuples from all ACI items into a single set. 1466 1467 For any tuple whose grantsAndDenials specify both grants and denials, 1468 replace the tuple with two tuples - one specifying only grants and 1469 the other specifying only denials. 1470 14713.5.3. Discarding Irrelevant Tuples 1472 1473 Perform the following steps to discard all irrelevant tuples: 1474 1475 1) Discard all tuples that do not include the requestor in the 1476 tuple's userClasses as follows: 1477 1478 a) For tuples that grant access, discard all tuples that do not 1479 include the requestor's identity in the tuples's userClasses 1480 element, taking into account UniqueIdentifier elements if 1481 relevant. Where a tuple's userClasses specifies a 1482 UniqueIdentifier, a matching value shall be present in the 1483 requestor's identity if the tuple is not to be discarded. 1484 Discard tuples that specify an authentication level higher than 1485 that associated with the requestor. 1486 1487 b) For tuples that deny access, retain all tuples that include the 1488 requestor in the tuple's userClasses element, taking into 1489 account uniqueIdentifier elements if relevant. Also retain all 1490 tuples that deny access and which specify an authentication 1491 level higher than that associated with the requestor. This 1492 reflects the fact that the requestor has not adequately proved 1493 non-membership in the user class for which the denial is 1494 specified. All other tuples that deny access are discarded. 1495 1496 2) Discard all tuples that do not include the protected item in 1497 protectedItems. 1498 1499 3) Examine all tuples that include maxValueCount, maxImmSub or 1500 restrictedBy. Discard all such tuples which grant access and 1501 which do not satisfy any of these constraints. 1502 1503 4) Discard all tuples that do not include the requested permission as 1504 one of the set bits in grantsAndDenials. 1505 1506 1507 1508 1509Legg Expires 16 December 2004 [Page 27] 1510 1511INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1512 1513 1514 The order in which tuples are discarded does not change the output of 1515 the ACDF. 1516 15173.5.4. Highest Precedence and Specificity 1518 1519 Perform the following steps to select those tuples of highest 1520 precedence and specificity: 1521 1522 1) Discard all tuples having a precedence less than the highest 1523 precedence among the remaining tuples. 1524 1525 2) If more than one tuple remains, choose the tuples with the most 1526 specific user class. If there are any tuples matching the 1527 requestor with UserClasses element name or thisEntry, discard all 1528 other tuples. Otherwise if there are any tuples matching 1529 UserGroup, discard all other tuples. Otherwise if there are any 1530 tuples matching subtree, discard all other tuples. 1531 1532 3) If more than one tuple remains, choose the tuples with the most 1533 specific protected item. If the protected item is an attribute 1534 and there are tuples that specify the attribute type explicitly, 1535 discard all other tuples. If the protected item is an attribute 1536 value, and there are tuples that specify the attribute value 1537 explicitly, discard all other tuples. A protected item which is a 1538 rangeOfValues is to be treated as specifying an attribute value 1539 explicitly. 1540 1541 Grant access if and only if one or more tuples remain and all grant 1542 access. Otherwise deny access. 1543 15444. Simplified Access Control 1545 1546 This section describes the functionality of the Simplified Access 1547 Control scheme. It provides a subset of the functionality found in 1548 Basic Access Control. 1549 1550 When Simplified Access Control is used, the accessControlScheme 1551 operational attribute [ACA] SHALL have the value 1552 simplified-access-control (2.5.28.2). 1553 1554 The functionality of Simplified Access Control is the same as Basic 1555 Access Control except that: 1556 1557 1) Access control decisions shall be made only on the basis of values 1558 of prescriptiveACI and subentryACI operational attributes. Values 1559 of the entryACI attribute, if present, SHALL NOT be used to make 1560 access control decisions. 1561 1562 1563 1564 1565Legg Expires 16 December 2004 [Page 28] 1566 1567INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1568 1569 1570 2) Access Control Inner Areas are not used. Values of 1571 prescriptiveACI attributes appearing in subentries of ACIPs SHALL 1572 NOT be used to make access control decisions. 1573 1574 All other provisions SHALL be as defined for Basic Access Control. 1575 15765. Security Considerations 1577 1578 Access control administrators should beware of basing access controls 1579 on membership of non-locally available groups or groups which are 1580 available only through replication (and which may, therefore, be out 1581 of date). 1582 1583 A particular DSA might not have the ACI governing any data that it 1584 caches. Administrators should be aware that a directory server with 1585 the capability of caching may pose a significant security risk to 1586 other directory servers, in that it may reveal information to 1587 unauthorized users. 1588 15896. Acknowledgements 1590 1591 This document is derived from, and duplicates substantial portions 1592 of, Section 8 of X.501 [X501], and selected extracts from X.511 1593 [X511]. 1594 15957. IANA Considerations 1596 1597 The Internet Assigned Numbers Authority (IANA) is requested to update 1598 the LDAP descriptors registry [BCP64] as indicated by the following 1599 templates: 1600 1601 Subject: Request for LDAP Descriptor Registration 1602 Descriptor (short name): basic-access-control 1603 Object Identifier: 2.5.28.1 1604 Person & email address to contact for further information: 1605 Steven Legg <steven.legg@adacel.com.au> 1606 Usage: other (access control scheme) 1607 Specification: RFC XXXX 1608 Author/Change Controller: IESG 1609 1610 Subject: Request for LDAP Descriptor Registration 1611 Descriptor (short name): simplified-access-control 1612 Object Identifier: 2.5.28.2 1613 Person & email address to contact for further information: 1614 Steven Legg <steven.legg@adacel.com.au> 1615 Usage: other (access control scheme) 1616 Specification: RFC XXXX 1617 Author/Change Controller: IESG 1618 1619 1620 1621Legg Expires 16 December 2004 [Page 29] 1622 1623INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1624 1625 1626 Subject: Request for LDAP Descriptor Registration 1627 Descriptor (short name): prescriptiveACI 1628 Object Identifier: 2.5.24.4 1629 Person & email address to contact for further information: 1630 Steven Legg <steven.legg@adacel.com.au> 1631 Usage: attribute type 1632 Specification: RFC XXXX 1633 Author/Change Controller: IESG 1634 1635 Subject: Request for LDAP Descriptor Registration 1636 Descriptor (short name): entryACI 1637 Object Identifier: 2.5.24.5 1638 Person & email address to contact for further information: 1639 Steven Legg <steven.legg@adacel.com.au> 1640 Usage: attribute type 1641 Specification: RFC XXXX 1642 Author/Change Controller: IESG 1643 1644 Subject: Request for LDAP Descriptor Registration 1645 Descriptor (short name): subentryACI 1646 Object Identifier: 2.5.24.6 1647 Person & email address to contact for further information: 1648 Steven Legg <steven.legg@adacel.com.au> 1649 Usage: attribute type 1650 Specification: RFC XXXX 1651 Author/Change Controller: IESG 1652 1653Appendix A. LDAP Specific Encoding for the ACI Item Syntax 1654 1655 This appendix is non-normative. 1656 1657 The LDAP-specific encoding for the ACI Item syntax is specified by 1658 the Generic String Encoding Rules [GSER]. The ABNF [RFC2234] in this 1659 appendix for this syntax is provided only as a convenience and is 1660 equivalent to the encoding specified by the application of GSER. 1661 Since the ACI Item ASN.1 type may be extended in future editions of 1662 X.501 [X501], the provided ABNF should be regarded as a snapshot in 1663 time. The LDAP-specific encoding for any extension to the ACI Item 1664 ASN.1 type can be determined from the rules of GSER. 1665 1666 In the event that there is a discrepancy between this ABNF and the 1667 encoding determined by GSER, then GSER is to be taken as definitive. 1668 1669 ACIItem = "{" sp aci-identificationTag "," 1670 sp aci-precedence "," 1671 sp aci-authenticationLevel "," 1672 sp aci-itemOrUserFirst 1673 sp "}" 1674 1675 1676 1677Legg Expires 16 December 2004 [Page 30] 1678 1679INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1680 1681 1682 aci-identificationTag = id-identificationTag msp 1683 DirectoryString 1684 aci-precedence = id-precedence msp Precedence 1685 aci-authenticationLevel = id-authenticationLevel msp 1686 AuthenticationLevel 1687 aci-itemOrUserFirst = id-itemOrUserFirst msp 1688 ItemOrUserFirst 1689 id-identificationTag = %x69.64.65.6E.74.69.66.69.63.61.74.69.6F 1690 %x6E.54.61.67 ; "identificationTag" 1691 id-precedence = %x70.72.65.63.65.64.65.6E.63.65 1692 ; "precedence" 1693 id-authenticationLevel = %x61.75.74.68.65.6E.74.69.63.61.74.69.6F 1694 %x6E.4C.65.76.65.6C 1695 ; "authenticationLevel" 1696 id-itemOrUserFirst = %x69.74.65.6D.4F.72.55.73.65.72.46.69.72 1697 %x73.74 ; "itemOrUserFirst" 1698 1699 Precedence = INTEGER-0-MAX ; MUST be less than 256 1700 1701 AuthenticationLevel = al-basicLevels / al-other 1702 al-basicLevels = id-basicLevels ":" BasicLevels 1703 al-other = id-other ":" EXTERNAL 1704 id-basicLevels = %x62.61.73.69.63.4C.65.76.65.6C.73 1705 ; "basicLevels" 1706 id-other = %x6F.74.68.65.72 ; "other" 1707 1708 BasicLevels = "{" sp bl-level 1709 [ "," sp bl-localQualifier ] 1710 [ "," sp bl-signed ] 1711 sp "}" 1712 1713 bl-level = id-level msp Level 1714 bl-localQualifier = id-localQualifier msp INTEGER 1715 bl-signed = id-signed msp BOOLEAN 1716 Level = id-none / id-simple / id-strong 1717 id-level = %x6C.65.76.65.6C ; "level" 1718 id-localQualifier = %x6C.6F.63.61.6C.51.75.61.6C.69.66.69.65.72 1719 ; "localQualifier" 1720 id-signed = %x73.69.67.6E.65.64 ; "signed" 1721 id-none = %x6E.6F.6E.65 ; "none" 1722 id-simple = %x73.69.6D.70.6C.65 ; "simple" 1723 id-strong = %x73.74.72.6F.6E.67 ; "strong" 1724 1725 ItemOrUserFirst = ( id-itemFirst ":" ItemFirst ) / 1726 ( id-userFirst ":" UserFirst ) 1727 id-itemFirst = %x69.74.65.6D.46.69.72.73.74 ; "itemFirst" 1728 id-userFirst = %x75.73.65.72.46.69.72.73.74 ; "userFirst" 1729 1730 1731 1732 1733Legg Expires 16 December 2004 [Page 31] 1734 1735INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1736 1737 1738 ItemFirst = "{" sp if-protectedItems "," 1739 sp if-itemPermissions 1740 sp "}" 1741 if-protectedItems = id-protectedItems msp ProtectedItems 1742 if-itemPermissions = id-itemPermissions msp ItemPermissions 1743 id-protectedItems = %x70.72.6F.74.65.63.74.65.64.49.74.65.6D.73 1744 ; "protectedItems" 1745 id-itemPermissions = %x69.74.65.6D.50.65.72.6D.69.73.73.69.6F.6E 1746 %x73 ; "itemPermissions" 1747 1748 UserFirst = "{" sp uf-userClasses "," 1749 sp uf-userPermissions 1750 sp "}" 1751 uf-userClasses = id-userClasses msp UserClasses 1752 uf-userPermissions = id-userPermissions msp UserPermissions 1753 id-userClasses = %x75.73.65.72.43.6C.61.73.73.65.73 1754 ; "userClasses" 1755 id-userPermissions = %x75.73.65.72.50.65.72.6D.69.73.73.69.6F.6E 1756 %x73 ; "userPermissions" 1757 1758 ItemPermissions = "{" [ sp ItemPermission 1759 *( "," sp ItemPermission ) ] sp "}" 1760 ItemPermission = "{" [ sp ip-precedence "," ] 1761 sp ip-userClasses "," 1762 sp ip-grantsAndDenials 1763 sp "}" 1764 ip-precedence = id-precedence msp Precedence 1765 ip-userClasses = id-userClasses msp UserClasses 1766 ip-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials 1767 id-grantsAndDenials = %x67.72.61.6E.74.73.41.6E.64.44.65.6E.69.61 1768 %x6C.73 ; "grantsAndDenials" 1769 1770 UserClasses = "{" [ sp uc-allUsers ] 1771 [ sep sp uc-thisEntry ] 1772 [ sep sp uc-name ] 1773 [ sep sp uc-userGroup ] 1774 [ sep sp uc-subtree ] 1775 sp "}" 1776 uc-allUsers = id-allUsers msp NULL 1777 uc-thisEntry = id-thisEntry msp NULL 1778 uc-name = id-name msp NameAndOptionalUIDs 1779 uc-userGroup = id-userGroup msp NameAndOptionalUIDs 1780 uc-subtree = id-subtree msp SubtreeSpecifications 1781 id-allUsers = %x61.6C.6C.55.73.65.72.73 ; "allUsers" 1782 id-thisEntry = %x74.68.69.73.45.6E.74.72.79 ; "thisEntry" 1783 id-name = %x6E.61.6D.65 ; "name" 1784 id-userGroup = %x75.73.65.72.47.72.6F.75.70 ; "userGroup" 1785 id-subtree = %x73.75.62.74.72.65.65 ; "subtree" 1786 1787 1788 1789Legg Expires 16 December 2004 [Page 32] 1790 1791INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1792 1793 1794 NameAndOptionalUIDs = "{" sp NameAndOptionalUID 1795 *( "," sp NameAndOptionalUID ) sp "}" 1796 NameAndOptionalUID = "{" sp nu-dn 1797 [ "," sp nu-uid ] 1798 sp "}" 1799 nu-dn = id-dn msp DistinguishedName 1800 nu-uid = id-uid msp UniqueIdentifier 1801 UniqueIdentifier = BIT-STRING 1802 id-dn = %x64.6E ; "dn" 1803 id-uid = %x75.69.64 ; "uid" 1804 1805 SubtreeSpecifications = "{" sp SubtreeSpecification 1806 *( "," sp SubtreeSpecification ) sp "}" 1807 1808 UserPermissions = "{" [ sp UserPermission 1809 *( "," sp UserPermission ) ] sp "}" 1810 UserPermission = "{" [ sp up-precedence "," ] 1811 sp up-protectedItems "," 1812 sp up-grantsAndDenials 1813 sp "}" 1814 up-precedence = id-precedence msp Precedence 1815 up-protectedItems = id-protectedItems msp ProtectedItems 1816 up-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials 1817 1818 ProtectedItems = "{" [ sp pi-entry ] 1819 [ sep sp pi-allUserAttributeTypes ] 1820 [ sep sp pi-attributeType ] 1821 [ sep sp pi-allAttributeValues ] 1822 [ sep sp pi-allUserTypesAndValues ] 1823 [ sep sp pi-attributeValue ] 1824 [ sep sp pi-selfValue ] 1825 [ sep sp pi-rangeOfValues ] 1826 [ sep sp pi-maxValueCount ] 1827 [ sep sp pi-maxImmSub ] 1828 [ sep sp pi-restrictedBy ] 1829 ; contexts omitted 1830 [ sep sp pi-classes ] 1831 sp "}" 1832 1833 pi-entry = id-entry msp NULL 1834 pi-allUserAttributeTypes = id-allUserAttributeTypes msp NULL 1835 pi-attributeType = id-attributeType msp AttributeTypes 1836 pi-allAttributeValues = id-allAttributeValues msp 1837 AttributeTypes 1838 pi-allUserTypesAndValues = id-allUserAttributeTypesAndValues msp 1839 NULL 1840 pi-attributeValue = id-attributeValue msp 1841 AttributeTypeAndValues 1842 1843 1844 1845Legg Expires 16 December 2004 [Page 33] 1846 1847INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1848 1849 1850 pi-selfValue = id-selfValue msp AttributeTypes 1851 pi-rangeOfValues = id-rangeOfValues msp Filter 1852 pi-maxValueCount = id-maxValueCount msp MaxValueCounts 1853 pi-maxImmSub = id-maxImmSub msp INTEGER 1854 pi-restrictedBy = id-restrictedBy msp RestrictedValues 1855 pi-classes = id-classes msp Refinement 1856 id-entry = %x65.6E.74.72.79 ; "entry" 1857 id-allUserAttributeTypes = %x61.6C.6C.55.73.65.72.41.74.74.72.69 1858 %x62.75.74.65.54.79.70.65.73 1859 ; "allUserAttributeTypes" 1860 id-attributeType = %x61.74.74.72.69.62.75.74.65.54.79.70 1861 %x65 ; "attributeType" 1862 id-allAttributeValues = %x61.6C.6C.41.74.74.72.69.62.75.74.65 1863 %x56.61.6C.75.65.73 1864 ; "allAttributeValues" 1865 id-attributeValue = %x61.74.74.72.69.62.75.74.65.56.61.6C 1866 %x75.65 ; "attributeValue" 1867 id-selfValue = %x73.65.6C.66.56.61.6C.75.65 1868 ; "selfValue" 1869 id-rangeOfValues = %x72.61.6E.67.65.4F.66.56.61.6C.75.65 1870 %x73 ; "rangeOfValues" 1871 id-maxValueCount = %x6D.61.78.56.61.6C.75.65.43.6F.75.6E 1872 %x74 ; "maxValueCount" 1873 id-maxImmSub = %x6D.61.78.49.6D.6D.53.75.62 1874 ; "maxImmSub" 1875 id-restrictedBy = %x72.65.73.74.72.69.63.74.65.64.42.79 1876 ; "restrictedBy" 1877 id-classes = %x63.6C.61.73.73.65.73 ; "classes" 1878 1879 id-allUserAttributeTypesAndValues = %x61.6C.6C.55.73.65.72.41.74 1880 %x74.72.69.62.75.74.65.54.79.70.65.73 1881 %x41.6E.64.56.61.6C.75.65.73 1882 ; "allUserAttributeTypesAndValues" 1883 1884 AttributeTypes = "{" sp AttributeType 1885 *( "," sp AttributeType ) sp "}" 1886 1887 AttributeTypeAndValues = "{" sp AttributeTypeAndValue 1888 *( "," sp AttributeTypeAndValue ) 1889 sp "}" 1890 1891 AttributeTypeAndValue = "{" sp atav-type "," 1892 sp atav-value 1893 sp "}" 1894 atav-type = id-type msp AttributeType 1895 atav-value = id-value msp Value 1896 id-type = %x74.79.70.65 ; "type" 1897 id-value = %x76.61.6C.75.65 ; "value" 1898 1899 1900 1901Legg Expires 16 December 2004 [Page 34] 1902 1903INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1904 1905 1906 MaxValueCounts = "{" sp MaxValueCount 1907 *( "," sp MaxValueCount ) sp "}" 1908 MaxValueCount = "{" sp mvc-type "," 1909 sp mvc-maxCount 1910 sp "}" 1911 mvc-type = id-type msp AttributeType 1912 mvc-maxCount = id-maxCount msp INTEGER 1913 id-maxCount = %x6D.61.78.43.6F.75.6E.74 ; "maxCount" 1914 1915 RestrictedValues = "{" sp RestrictedValue 1916 *( "," sp RestrictedValue ) sp "}" 1917 RestrictedValue = "{" sp rv-type "," 1918 sp rv-valuesin 1919 sp "}" 1920 rv-type = id-type msp AttributeType 1921 rv-valuesin = id-valuesin msp AttributeType 1922 id-valuesin = %x76.61.6C.75.65.73.69.6E ; "valuesin" 1923 1924 GrantsAndDenials = "{" [ sp grantOrDeny 1925 *( "," sp grantOrDeny ) ] sp "}" 1926 grantOrDeny = id-grantAdd 1927 / id-denyAdd 1928 / id-grantDiscloseOnError 1929 / id-denyDiscloseOnError 1930 / id-grantRead 1931 / id-denyRead 1932 / id-grantRemove 1933 / id-denyRemove 1934 / id-grantBrowse 1935 / id-denyBrowse 1936 / id-grantExport 1937 / id-denyExport 1938 / id-grantImport 1939 / id-denyImport 1940 / id-grantModify 1941 / id-denyModify 1942 / id-grantRename 1943 / id-denyRename 1944 / id-grantReturnDN 1945 / id-denyReturnDN 1946 / id-grantCompare 1947 / id-denyCompare 1948 / id-grantFilterMatch 1949 / id-denyFilterMatch 1950 ; grantInvoke omitted 1951 ; denyInvoke omitted 1952 1953 id-grantAdd = %x67.72.61.6E.74.41.64.64 ; "grantAdd" 1954 1955 1956 1957Legg Expires 16 December 2004 [Page 35] 1958 1959INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 1960 1961 1962 id-denyAdd = %x64.65.6E.79.41.64.64 ; "denyAdd" 1963 id-grantBrowse = %x67.72.61.6E.74.42.72.6F.77.73.65 1964 ; "grantBrowse" 1965 id-denyBrowse = %x64.65.6E.79.42.72.6F.77.73.65 ; "denyBrowse" 1966 id-grantCompare = %x67.72.61.6E.74.43.6F.6D.70.61.72.65 1967 ; "grantCompare" 1968 id-denyCompare = %x64.65.6E.79.43.6F.6D.70.61.72.65 1969 ; "denyCompare" 1970 1971 id-grantDiscloseOnError = %x67.72.61.6E.74.44.69.73.63.6C.6F.73.65 1972 %x4F.6E.45.72.72.6F.72 1973 ; "grantDiscloseOnError" 1974 id-denyDiscloseOnError = %x64.65.6E.79.44.69.73.63.6C.6F.73.65.4F 1975 %x6E.45.72.72.6F.72 1976 ; "denyDiscloseOnError" 1977 1978 id-grantExport = %x67.72.61.6E.74.45.78.70.6F.72.74 1979 ; "grantExport" 1980 id-denyExport = %x64.65.6E.79.45.78.70.6F.72.74 1981 ; "denyExport" 1982 id-grantFilterMatch = %x67.72.61.6E.74.46.69.6C.74.65.72.4D.61.74 1983 %x63.68 ; "grantFilterMatch" 1984 id-denyFilterMatch = %x64.65.6E.79.46.69.6C.74.65.72.4D.61.74.63 1985 %x68 ; "denyFilterMatch" 1986 id-grantImport = %x67.72.61.6E.74.49.6D.70.6F.72.74 1987 ; "grantImport" 1988 id-denyImport = %x64.65.6E.79.49.6D.70.6F.72.74 1989 ; "denyImport" 1990 id-grantModify = %x67.72.61.6E.74.4D.6F.64.69.66.79 1991 ; "grantModify" 1992 id-denyModify = %x64.65.6E.79.4D.6F.64.69.66.79 1993 ; "denyModify" 1994 id-grantRead = %x67.72.61.6E.74.52.65.61.64 ; "grantRead" 1995 id-denyRead = %x64.65.6E.79.52.65.61.64 ; "denyRead" 1996 id-grantRemove = %x67.72.61.6E.74.52.65.6D.6F.76.65 1997 ; "grantRemove" 1998 id-denyRemove = %x64.65.6E.79.52.65.6D.6F.76.65 1999 ; "denyRemove" 2000 id-grantRename = %x67.72.61.6E.74.52.65.6E.61.6D.65 2001 ; "grantRename" 2002 id-denyRename = %x64.65.6E.79.52.65.6E.61.6D.65 2003 ; "denyRename" 2004 id-grantReturnDN = %x67.72.61.6E.74.52.65.74.75.72.6E.44.4E 2005 ; "grantReturnDN" 2006 id-denyReturnDN = %x64.65.6E.79.52.65.74.75.72.6E.44.4E 2007 ; "denyReturnDN" 2008 2009 The <sp>, <msp>, <sep>, <AttributeType>, <BIT-STRING>, <BOOLEAN>, 2010 2011 2012 2013Legg Expires 16 December 2004 [Page 36] 2014 2015INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2016 2017 2018 <DirectoryString>, <DistinguishedName>, <EXTERNAL>, <INTEGER>, 2019 <INTEGER-0-MAX> and <NULL> rules are described in [GCE]. 2020 2021 The <SubtreeSpecification> and <Refinement> rules are described in 2022 [SUBENTRY]. 2023 2024 The <Value> rule is described in [GSER]. 2025 2026 Filter = filter-item / filter-and / filter-or / filter-not 2027 filter-item = id-item ":" FilterItem 2028 filter-and = id-and ":" SetOfFilter 2029 filter-or = id-or ":" SetOfFilter 2030 filter-not = id-not ":" Filter 2031 id-and = %x61.6E.64 ; "and" 2032 id-item = %x69.74.65.6D ; "item" 2033 id-not = %x6E.6F.74 ; "not" 2034 id-or = %x6F.72 ; "or" 2035 2036 SetOfFilter = "{" [ sp Filter *( "," sp Filter ) ] sp "}" 2037 2038 FilterItem = fi-equality 2039 / fi-substrings 2040 / fi-greaterOrEqual 2041 / fi-lessOrEqual 2042 / fi-present 2043 / fi-approximateMatch 2044 / fi-extensibleMatch 2045 ; contextPresent omitted 2046 2047 fi-equality = id-equality ":" AttributeValueAssertion 2048 fi-substrings = id-substrings ":" SubstringsAssertion 2049 fi-greaterOrEqual = id-greaterOrEqual ":" 2050 AttributeValueAssertion 2051 fi-lessOrEqual = id-lessOrEqual ":" AttributeValueAssertion 2052 fi-present = id-present ":" AttributeType 2053 fi-approximateMatch = id-approximateMatch ":" 2054 AttributeValueAssertion 2055 fi-extensibleMatch = id-extensibleMatch ":" MatchingRuleAssertion 2056 id-equality = %x65.71.75.61.6C.69.74.79 ; "equality" 2057 id-substrings = %x73.75.62.73.74.72.69.6E.67.73 2058 ; "substrings" 2059 id-greaterOrEqual = %x67.72.65.61.74.65.72.4F.72.45.71.75.61.6C 2060 ; "greaterOrEqual" 2061 id-lessOrEqual = %x6C.65.73.73.4F.72.45.71.75.61.6C 2062 ; "lessOrEqual" 2063 id-present = %x70.72.65.73.65.6E.74 ; "present" 2064 id-approximateMatch = %x61.70.70.72.6F.78.69.6D.61.74.65.4D.61.74 2065 %x63.68 ; "approximateMatch" 2066 2067 2068 2069Legg Expires 16 December 2004 [Page 37] 2070 2071INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2072 2073 2074 id-extensibleMatch = %x65.78.74.65.6E.73.69.62.6C.65.4D.61.74.63 2075 %x68 ; "extensibleMatch" 2076 2077 AttributeValueAssertion = "{" sp ava-type "," 2078 sp ava-assertion 2079 ; assertedContexts omitted 2080 sp "}" 2081 2082 ava-type = id-type msp AttributeType 2083 ava-assertion = id-assertion msp Value 2084 id-assertion = %x61.73.73.65.72.74.69.6F.6E ; "assertion" 2085 2086 SubstringsAssertion = "{" sp sa-type "," 2087 sp sa-strings 2088 sp "}" 2089 2090 sa-type = id-type msp AttributeType 2091 sa-strings = id-strings msp Substrings 2092 id-strings = %x73.74.72.69.6E.67.73 ; "strings" 2093 2094 Substrings = "{" [ sp Substring *( "," sp Substring ) ] sp "}" 2095 Substring = ss-initial 2096 / ss-any 2097 / ss-final 2098 ; control omitted 2099 ss-initial = id-initial ":" Value 2100 ss-any = id-any ":" Value 2101 ss-final = id-final ":" Value 2102 id-initial = %x69.6E.69.74.69.61.6C ; "initial" 2103 id-any = %x61.6E.79 ; "any" 2104 id-final = %x66.69.6E.61.6C ; "final" 2105 2106 MatchingRuleAssertion = "{" sp mra-matchingRule 2107 [ "," sp mra-type ] 2108 "," sp mra-matchValue 2109 [ "," sp mra-dnAttributes ] 2110 sp "}" 2111 2112 mra-matchingRule = id-matchingRule msp MatchingRuleIds 2113 mra-type = id-type msp AttributeType 2114 mra-matchValue = id-matchValue msp Value 2115 mra-dnAttributes = id-dnAttributes msp BOOLEAN 2116 id-matchingRule = %x6D.61.74.63.68.69.6E.67.52.75.6C.65 2117 ; "matchingRule" 2118 id-matchValue = %x6D.61.74.63.68.56.61.6C.75.65 ; "matchValue" 2119 id-dnAttributes = %x64.6E.41.74.74.72.69.62.75.74.65.73 2120 ; "dnAttributes" 2121 2122 2123 2124 2125Legg Expires 16 December 2004 [Page 38] 2126 2127INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2128 2129 2130 MatchingRuleIds = "{" sp MatchingRuleId *( "," sp MatchingRuleId ) sp "}" 2131 MatchingRuleId = OBJECT-IDENTIFIER 2132 2133 The <OBJECT-IDENTIFIER> rule is described in [GCE]. 2134 2135Normative References 2136 2137 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2138 Requirement Levels", BCP 14, RFC 2119, March 1997. 2139 2140 [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory 2141 Access Protocol (v3)", RFC 2251, December 1997. 2142 2143 [RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, 2144 "Lightweight Directory Access Protocol (v3): Attribute 2145 Syntax Definitions", RFC 2252, December 1997. 2146 2147 [RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use 2148 with LDAPv3", RFC 2256, December 1997. 2149 2150 [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access 2151 Protocol (v3): Technical Specification", RFC 3377, 2152 September 2002. 2153 2154 [BCP64] Zeilenga, K., "Internet Assigned Numbers 2155 Authority (IANA) Considerations for the Lightweight 2156 Directory Access Protcol (LDAP)", BCP 64, RFC 3383, 2157 September 2002. 2158 2159 [GSER] Legg, S., "Generic String Encoding Rules for ASN.1 Types", 2160 RFC 3641, October 2003. 2161 2162 [COLLECT] Zeilenga, K., "Collective Attributes in the Lightweight 2163 Directory Access Protocol (LDAP)", RFC 3671, December 2164 2003. 2165 2166 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in the Lightweight 2167 Directory Access Protocol (LDAP)", RFC 3672, December 2168 2003. 2169 2170 [SCHEMA] Zeilenga, K., "Lightweight Directory Access Protocol 2171 (LDAP): Additional Matching Rules", RFC 3698, February 2172 2004. 2173 2174 [ADMIN] Legg, S., "Lightweight Directory Access Protocol (LDAP): 2175 Directory Administrative Model", 2176 draft-legg-ldap-admin-xx.txt, a work in progress, June 2177 2004. 2178 2179 2180 2181Legg Expires 16 December 2004 [Page 39] 2182 2183INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2184 2185 2186 [ACA] Legg, S., "Lightweight Directory Access Protocol (LDAP): 2187 Access Control Administration", 2188 draft-legg-ldap-acm-admin-xx.txt, a work in progress, June 2189 2004. 2190 2191 [FILTER] Zeilenga, K., "LDAP Absolute True and False Filters", 2192 draft-zeilenga-ldap-t-f-xx.txt, a work in progress, 2193 February 2004. 2194 2195 [ASN1] ITU-T Recommendation X.680 (07/02) | ISO/IEC 8824-1, 2196 Information technology - Abstract Syntax Notation One 2197 (ASN.1): Specification of basic notation 2198 2199Informative References 2200 2201 [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 2202 Specifications: ABNF", RFC 2234, November 1997. 2203 2204 [GCE] Legg, S., "Common Elements of Generic String Encoding 2205 Rules (GSER) Encodings", RFC 3642, October 2003. 2206 2207 [X501] ITU-T Recommendation X.501 (02/01) | ISO/IEC 9594-2:2001, 2208 Information technology - Open Systems Interconnection - 2209 The Directory: Models 2210 2211 [X511] ITU-T Recommendation X.511 (02/01) | ISO/IEC 9594-3:2001, 2212 Information technology - Open Systems Interconnection - 2213 The Directory: Abstract service definition 2214 2215Author's Address 2216 2217 Steven Legg 2218 Adacel Technologies Ltd. 2219 250 Bay Street 2220 Brighton, Victoria 3186 2221 AUSTRALIA 2222 2223 Phone: +61 3 8530 7710 2224 Fax: +61 3 8530 7888 2225 EMail: steven.legg@adacel.com.au 2226 2227Full Copyright Statement 2228 2229 Copyright (C) The Internet Society (2004). This document is subject 2230 to the rights, licenses and restrictions contained in BCP 78, and 2231 except as set forth therein, the authors retain all their rights. 2232 2233 This document and the information contained herein are provided on an 2234 2235 2236 2237Legg Expires 16 December 2004 [Page 40] 2238 2239INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2240 2241 2242 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2243 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2244 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2245 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2246 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2247 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2248 2249Intellectual Property 2250 2251 The IETF takes no position regarding the validity or scope of any 2252 Intellectual Property Rights or other rights that might be claimed to 2253 pertain to the implementation or use of the technology described in 2254 this document or the extent to which any license under such rights 2255 might or might not be available; nor does it represent that it has 2256 made any independent effort to identify any such rights. Information 2257 on the procedures with respect to rights in RFC documents can be 2258 found in BCP 78 and BCP 79. 2259 2260 Copies of IPR disclosures made to the IETF Secretariat and any 2261 assurances of licenses to be made available, or the result of an 2262 attempt made to obtain a general license or permission for the use of 2263 such proprietary rights by implementers or users of this 2264 specification can be obtained from the IETF on-line IPR repository at 2265 http://www.ietf.org/ipr. 2266 2267 The IETF invites any interested party to bring to its attention any 2268 copyrights, patents or patent applications, or other proprietary 2269 rights that may cover technology that may be required to implement 2270 this standard. Please address the information to the IETF at 2271 ietf-ipr@ietf.org. 2272 2273Changes in Draft 01 2274 2275 The Internet draft draft-legg-ldap-acm-admin-00.txt has been split 2276 into two drafts, draft-legg-ldap-admin-00.txt and 2277 draft-legg-ldap-acm-admin-01.txt. Section 8 of 2278 draft-legg-ldapext-component-matching-06.txt has been extracted to 2279 become a separate Internet draft, draft-legg-ldap-gser-xx.txt. The 2280 references in this document have been updated accordingly. 2281 2282 The term "native LDAP encoding" has been replaced by the term 2283 "LDAP-specific encoding" to align with terminology anticipated to be 2284 used in the revision of RFC 2252. 2285 2286 Changes have been made to the Search Operation Decision Points 2287 (Section 3.4.3): 2288 2289 In 4) a), the assumed FilterMatch permission for a present match of 2290 2291 2292 2293Legg Expires 16 December 2004 [Page 41] 2294 2295INTERNET-DRAFT Basic and Simplified Access Control June 16, 2004 2296 2297 2298 the objectClass attribute has been removed. An LDAP search with a 2299 True filter [FILTER] is the best analogue of the DAP read operation. 2300 A True filter does not filter any attribute type and therefore does 2301 not require FilterMatch permissions to succeed. 2302 2303 In 5) b) and c), there is an additional requirement for Read 2304 permission for at least one attribute value before an attribute type 2305 can be returned in a search result. Without this change a search 2306 result could, in some circumstances, disclose the existence of 2307 particular hidden attribute values. 2308 2309Changes in Draft 02 2310 2311 RFC 3377 replaces RFC 2251 as the reference for LDAP. 2312 2313 An IANA Considerations section has been added. 2314 2315Changes in Draft 03 2316 2317 The document has been reformatted in line with current practice. 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349Legg Expires 16 December 2004 [Page 42] 2350 2351 2352