4 Network Working Group S. Haripriya
5 Internet-Draft Jaimon. Jose, Ed.
6 Updates: 02 (if approved) Jim. Sermersheim
7 Intended status: Standards Track Novell, Inc.
8 Expires: July 9, 2007 January 5, 2007
11 LDAP: Dynamic Groups for LDAPv3
12 draft-haripriya-dynamicgroup-02
16 By submitting this Internet-Draft, each author represents that any
17 applicable patent or other IPR claims of which he or she is aware
18 have been or will be disclosed, and any of which he or she becomes
19 aware will be disclosed, in accordance with Section 6 of BCP 79.
21 Internet-Drafts are working documents of the Internet Engineering
22 Task Force (IETF), its areas, and its working groups. Note that
23 other groups may also distribute working documents as Internet-
26 Internet-Drafts are draft documents valid for a maximum of six months
27 and may be updated, replaced, or obsoleted by other documents at any
28 time. It is inappropriate to use Internet-Drafts as reference
29 material or to cite them other than as "work in progress."
31 The list of current Internet-Drafts can be accessed at
32 http://www.ietf.org/ietf/1id-abstracts.txt.
34 The list of Internet-Draft Shadow Directories can be accessed at
35 http://www.ietf.org/shadow.html.
37 This Internet-Draft will expire on July 9, 2007.
41 Copyright (C) The Internet Society (2007).
55 Haripriya, et al. Expires July 9, 2007 [Page 1]
57 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
62 This document describes the requirements, semantics, schema elements,
63 and operations needed for a dynamic group feature in LDAP. A dynamic
64 group is defined here as a group object with a membership list of
65 distinguished names that is dynamically generated using LDAP search
66 criteria. The dynamic membership list may then be interrogated by
67 LDAP search and compare operations, and may also be used to find the
68 groups that an object is a member of. This feature eliminates a huge
69 amount of the administrative effort required today for maintaining
70 group memberships and role-based operations in large enterprises.
75 1. Conventions used in this document . . . . . . . . . . . . . . 4
76 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
77 3. Requirements of a dynamic group feature . . . . . . . . . . . 6
78 4. Schema and Semantic Definitions for Dynamic Groups . . . . . . 7
79 4.1. Object Classes . . . . . . . . . . . . . . . . . . . . . . 7
80 4.1.1. dynamicGroup . . . . . . . . . . . . . . . . . . . . . 7
81 4.1.2. dynamicGroupOfUniqueNames . . . . . . . . . . . . . . 7
82 4.1.3. dynamicGroupAux . . . . . . . . . . . . . . . . . . . 7
83 4.1.4. dynamicGroupOfUniqueNamesAux . . . . . . . . . . . . . 7
84 4.2. Attributes . . . . . . . . . . . . . . . . . . . . . . . . 8
85 4.2.1. memberQueryURL . . . . . . . . . . . . . . . . . . . . 8
86 4.2.2. excludedMember . . . . . . . . . . . . . . . . . . . . 11
87 4.3. member . . . . . . . . . . . . . . . . . . . . . . . . . . 11
88 4.4. uniqueMember . . . . . . . . . . . . . . . . . . . . . . . 11
89 4.5. dgIdentity . . . . . . . . . . . . . . . . . . . . . . . . 11
90 4.5.1. dgIdentity - Security implications . . . . . . . . . . 12
91 5. Advertisement of support for dynamic groups . . . . . . . . . 13
92 6. Dynamic Group Operations . . . . . . . . . . . . . . . . . . . 14
93 6.1. Existing Operations . . . . . . . . . . . . . . . . . . . 14
94 6.1.1. Access to resources in the directory . . . . . . . . . 14
95 6.1.2. Reading a dynamic group object . . . . . . . . . . . . 14
96 6.1.3. 'Is Member Of' functionality . . . . . . . . . . . . . 15
97 6.2. New Extensions . . . . . . . . . . . . . . . . . . . . . . 16
98 6.2.1. Managing the static members of a dynamic group . . . . 16
99 7. Performance Considerations . . . . . . . . . . . . . . . . . . 17
100 7.1. Caching of Dynamic Members . . . . . . . . . . . . . . . . 17
101 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
102 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
103 10. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 20
104 11. Normative References . . . . . . . . . . . . . . . . . . . . . 21
105 Appendix A. Example Values for memberQueryURL . . . . . . . . . . 22
106 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . . 23
107 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
111 Haripriya, et al. Expires July 9, 2007 [Page 2]
113 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
116 Intellectual Property and Copyright Statements . . . . . . . . . . 25
167 Haripriya, et al. Expires July 9, 2007 [Page 3]
169 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
172 1. Conventions used in this document
174 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
175 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
176 document are to be interpreted as described in [1].
223 Haripriya, et al. Expires July 9, 2007 [Page 4]
225 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
230 The LDAP schema described in [4] defines two object classes:
231 'groupOfNames', and 'groupOfUniqueNames', that hold a static list of
232 distinguished names in their 'member' or 'uniqueMember' attributes
233 respectively, and are typically used to describe a group of objects
234 for various functions. These grouping functions range from simple
235 group membership applications such as email distribution lists to
236 describing common authorization for a set of users The administration
237 and updating of these membership lists must be done by specifically
238 modifying the DN values in the member or uniqueMember attributes.
239 Thus, each time a change in membership happens, a process must exist
240 which adds or removes the particular entry's DN from the member
241 attribute. For example, consider an organization, where the access
242 to its facilities is controlled by membership in a directory group.
243 Assume that all employees in a department have been added to the
244 group that provides access to the required department facility. If
245 an employee moves from one department to another, the administrator
246 must remove the employee from one group and add him to another.
247 Similarly consider an organization that wants to provide access to
248 its facility, to both interns and employees on weekdays, but only to
249 employees on weekends. It would be effort-consuming to achieve this
252 "Dynamic groups" are like normal groups, but they let one specify
253 criteria to be used for evaluating membership to a group; the
254 membership of the group is determined dynamically by the directory
255 servers involved. This lets the group administrator define the
256 membership in terms of attributes, and let the DSAs worry about who
257 are the actual members. This solution is more scalable and reduces
258 administrative costs. This can also supplement static groups in LDAP
259 to provide flexibility to the user.
279 Haripriya, et al. Expires July 9, 2007 [Page 5]
281 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
284 3. Requirements of a dynamic group feature
286 The following requirements SHOULD be met by a proposal for the
287 dynamic groups feature:
289 1. Creation and administration of dynamic groups should be done
290 using normal LDAP operations.
292 2. Applications must be able to use dynamic groups in the same way
293 that they are able to use static groups for listing members and
294 for membership evaluation.
296 3. Interrogation of a dynamic group's membership should be done
297 using normal LDAP operations, and should be consistent. This
298 means that all authorization identities with the same permission
299 to the membership attribute of a dynamic group (such as 'read')
300 should be presented with the same membership list.
335 Haripriya, et al. Expires July 9, 2007 [Page 6]
337 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
340 4. Schema and Semantic Definitions for Dynamic Groups
342 The dynamic group classes are defined by the following schema
346 The following object classes MUST be supported, and their semantics
347 understood by the server, for it to support the dynamic groups
352 ( <OID.TBD> NAME 'dynamicGroup' SUP groupOfNames STRUCTURAL MAY
353 (memberQueryURL $ excludedMember $ dgIdentity ))
355 This structural object class is used to create a dynamic group
356 object. It is derived from groupOfNames, which is defined in [4].
358 4.1.2. dynamicGroupOfUniqueNames
360 ( <OID.TBD> NAME 'dynamicGroupOfUniqueNames' SUP groupOfUniqueNames
361 STRUCTURAL MAY (memberQueryURL $ excludedMember $ dgIdentity ))
363 This structural object class is used to create a dynamic group object
364 whose membership list is held in a uniqueMember attribute. It is
365 derived from groupOfUniqueNames, which is defined in [4].
367 4.1.3. dynamicGroupAux
369 ( <OID.TBD> NAME 'dynamicGroupAux' SUP groupOfNames AUXILIARY MAY
370 (memberQueryURL $ excludedMember $ dgIdentity ))
372 This auxiliary object class is used to convert an existing object to
373 a dynamic group or to create an object of another object class but
374 with dynamic group capabilities. This is derived from groupOfNames
375 which is defined in [4].
377 4.1.4. dynamicGroupOfUniqueNamesAux
379 ( <OID.TBD> NAME 'dynamicGroupOfUniqueNamesAux' SUP groupOfUniqueNames
380 AUXILIARY MAY (memberQueryURL $ excludedMember $ dgIdentity ))
382 This auxiliary object class is used to convert an existing object to
383 a dynamic group of unique names or to create an object of another
384 object class but with dynamic group capabilities. This is derived
385 from groupOfUniqueNames which is defined in [4].
391 Haripriya, et al. Expires July 9, 2007 [Page 7]
393 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
398 The following attribute names MUST be supported by the server.
400 4.2.1. memberQueryURL
402 This attribute describes the membership of the list using an LDAPURL
405 (<OID.TBD> NAME 'memberQueryURL' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
407 The value of memberQueryURL is encoded as an LDAPURL [3]
447 Haripriya, et al. Expires July 9, 2007 [Page 8]
449 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
452 The BNF from [3] is listed here for reference.
453 ldapurl = scheme COLON SLASH SLASH [host [COLON port]] [SLASH dn
454 [QUESTION [attributes] [QUESTION [scope] [QUESTION [filter] [QUESTION
456 ; <host> and <port> are defined
457 ; in Sections 3.2.2 and 3.2.3
459 ; <filter> is from Section 3 of
460 ; [RFC4515], subject to the
462 ; "Percent-Encoding" section
465 dn = distinguishedName ; From Section 3 of [RFC4514],
466 ; subject to the provisions of
467 ; the "Percent-Encoding"
469 attributes = attrdesc *(COMMA attrdesc)
470 attrdesc = selector *(COMMA selector)
471 selector = attributeSelector ; From Section 4.5.1 of
472 ; [RFC4511], subject to the
474 ; "Percent-Encoding" section
476 scope = "base" / "one" / "sub"
477 extensions = extension *(COMMA extension)
478 extension = [EXCLAMATION] extype [EQUALS exvalue]
479 extype = oid ; From section 1.4 of [RFC4512].
480 exvalue = LDAPString ; From section 4.1.2 of
481 ; [RFC4511], subject to the
483 ; "Percent-Encoding" section
485 EXCLAMATION = %x21 ; exclamation mark ("!")
486 SLASH = %x2F ; forward slash ("/")
487 COLON = %x3A ; colon (":")
488 QUESTION = %x3F ; question mark ("?")
491 For the purpose of evaluating dynamic members, the directory server
492 uses only the dn, scope, filter and extensions fields. All remaining
493 fields are ignored if specified. If other fields are specified, the
494 server SHALL ignore them and MAY omit them when presenting the value
495 to a client. The dn is used to specify the base dn from which to
496 start the search for dynamic members. The scope specifies the scope
497 with respect to the dn in which to search for dynamic members. The
498 filter specifies the criteria with which to select objects for
503 Haripriya, et al. Expires July 9, 2007 [Page 9]
505 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
508 4.2.1.1. The x-chain extension
510 A new extension is defined for use of the memberQueryURL in dynamic
511 groups, named 'x-chain'. x-chain does not take a value. When x-chain
512 is present, the server must follow any search continuation references
513 to other servers while searching for dynamic members. When x-chain
514 is absent, the dynamic members computed will be only those that are
515 present on the server from which the search is made. A directory
516 server supporting the memberQueryURL MAY support the x-chain
517 extension, thus the x-chain extension could be critical or non-
518 critical as specified by the '!' prefix to the extension type.
520 4.2.1.2. Semantics of multiple values for memberQueryURL
522 The memberQueryURL MAY have multiple values, and in that case, the
523 members of the dynamic group will be the union of the members
524 computed using each individual URL value. This is useful in
525 specifying a group membership that is made up from subtrees rooted at
526 different base DNs, and possibly using different filters.
528 4.2.1.3. Condition of membership
530 An object O is a member of a dynamic group G if and only if
532 (( O is a value of the 'member' or 'uniqueMember' attribute of G)
536 (( O is selected by the membership criteria specified in the
537 'memberQueryURL' attribute values of G)
541 ( O is not listed in the 'excludedMember' attribute of G) ))
543 If a member M of a dynamic group G happens to be a dynamic or a
544 static group, the static or dynamic members of M SHALL NOT be
545 considered as members of G. M is a member of G though.
547 The last condition is imposed because
549 o Recursively evaluating members of members may degrade the
550 performance of the server drastically.
552 o Looping may occur particularly in situations where the search
553 chains across multiple-servers.
559 Haripriya, et al. Expires July 9, 2007 [Page 10]
561 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
564 o Dynamic membership assertions (compare operation) cannot be
565 optimized if recursive memberships are allowed. Without
566 recursion, comparisons can be made light-weight.
568 4.2.2. excludedMember
570 ( <OID.TBD> NAME 'excludedMember' SUP distinguishedName )
572 This attribute is used to exclude entries from being a dynamic member
573 of a dynamic group. Thus an entry is a dynamic member of a dynamic
574 group if and only if it is selected by the member criteria specified
575 by the 'memberQueryURL' attribute or explicitly added to the member
576 or uniqueMember attribute, and it is not listed in the
577 'excludedMember' attribute.
581 ( 2.5.4.31 NAME 'member' SUP distinguishedName )
583 Defined in [4], this attribute is overloaded when used in the context
584 of a dynamic group. It is used to explicitly specify static members
585 of a dynamic group. If the same entry is listed in both the 'member'
586 and 'excludedMember' attributes, the 'member' overrides the
587 'excludedMember', and the entry is considered to be a member of the
588 group. This attribute is also used to interrogate both the static
589 and dynamic member values of a dynamic group object. Subclasses of
590 this attribute are NOT considered in this manner.
594 ( 2.5.4.32 NAME 'uniqueMember' SUP distinguishedName )
596 Defined in [4], this attribute is overloaded when used in the context
597 of a dynamic group. It is used to specify the static members of a
598 dynamic group. If the same entry is listed in both the
599 'uniqueMember' and 'excludedMember' attributes, the 'uniqueMember'
600 overrides the 'excludedMember', and the entry is considered to be a
601 member of the group. This attribute is also used to interrogate both
602 the static and dynamic member values of a dynamic group object.
603 Subclasses of this attribute are NOT considered in this manner.
607 ( <OID.TBD> NAME 'identity' SUP distinguishedName SINGLE-VALUE )
609 In order to provide consistent results when processing the search
610 criteria, the server must use a single authorization identity. If
611 the authorization of the bound identity is used, the membership list
615 Haripriya, et al. Expires July 9, 2007 [Page 11]
617 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
620 will vary, from identity to identity due to differing access
621 controls. This may either be done by the server authenticating as
622 the dgIdentity prior to performing a search or compare operation, or
623 may be done by simply assuming the authorization of the dgIdentity
624 when performing those operations. As server implementations vary, so
625 may the mechanisms to achieve consistent results through the use of
626 the dgIdentity. In the case that the server authenticates as the
627 dgIdentity, it may be required by the server that this identity have
628 proper authentication credentials, and it may be required that this
629 identity reside in the DIB of the local server.
631 In the absence of an identity value, or in case the identity value
632 cannot be used, the server will process the memberQueryURL as the
633 anonymous identity. This attribute MAY be supported, and represents
634 the identity the server will use for processing the memberQueryURL.
636 4.5.1. dgIdentity - Security implications
638 Because this attribute indirectly but effectively grants anyone with
639 read or compare access to the member or uniqueMember attribute
640 sufficient permission to gain a DN result set from the
641 memberQueryURL, server implementations SHOULD NOT allow this
642 attribute to be populated with the DN of any object that is not
643 administered by the identity making the change to this attribute.
644 For purposes of this document, to "administer an object" indicates
645 that the administrative identity has the ability to fully update the
646 access control mechanism in place the object in question. As of this
647 writing, there is no way to describe further what it means to be
648 fully able to administer the access control mechanism for an object,
649 so this definition is left as implementation-specific.
651 This requirement will allow an entity that has privileges to
652 administer a particular subtree (meaning that entity can add, delete,
653 and update objects in that subtree), to place in the dgIdentity DNs
654 of only those objects it administers.
671 Haripriya, et al. Expires July 9, 2007 [Page 12]
673 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
676 5. Advertisement of support for dynamic groups
678 If the dynamic groups schema is not present on an LDAP server, it
679 MUST be assumed that the dynamic groups feature is not supported.
727 Haripriya, et al. Expires July 9, 2007 [Page 13]
729 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
732 6. Dynamic Group Operations
734 6.1. Existing Operations
736 The following operations SHOULD expose the dynamic groups
737 functionality. These operations do not require any change in the
738 LDAP protocol to be exchanged between the client and server.
740 6.1.1. Access to resources in the directory
742 If access control items are set on a target resource object in the
743 directory, with the subject being a dynamic group object, then all
744 the members of the group object, including the dynamic members, will
745 get the same permissions on the target entry. This would be the most
746 useful application of dynamic groups as seen by an administrator
747 because it lets the server control access to resources based on
748 dynamic membership to a trustee (subject of ACI) of the resource.
749 The way to specify a dynamic ACL is currently implementation
750 specific, as there is no common ACL definition for LDAP, and hence
751 will be dealt with in a separate document or later (TO BE DONE).
753 6.1.2. Reading a dynamic group object
755 When the member attributes of a dynamic group object is listed by the
756 client using an LDAP search operation, the member values returned
757 SHOULD contain both the static and dynamic members of the group
758 object. This functionality will not require a change to the
759 protocol, and the clients need not be aware of dynamic groups to
760 exploit this functionality. This feature is useful for clients that
761 determine access privileges to a resource by themselves, by reading
762 the members of a group object. It will also be useful to
763 administrators who want to see the result of the query URL that they
764 set on the dynamic group entry. Note that this overloads the
765 semantics of the 'member' and 'uniqueMember' attributes. This could
766 lead to some surprises for the client .
768 for example: Clients that read the member attribute of a dynamic
769 group object and then attempt to remove values (which were dynamic)
770 could get an error specifying such a value was not there.
774 Let cn=dg1,o=myorg be a dynamic group object with the following
775 attributes stored in the directory.
783 Haripriya, et al. Expires July 9, 2007 [Page 14]
785 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
788 member: cn=admin,o=myorg
790 excludedMember: cn=guest,ou=finance,o=myorg
792 excludedMember: cn=robin,ou=finance,o=myorg
795 ldap:///ou=finance,o=myorg??sub?(objectclass=organizationalPerson)
797 If there are 5 organizationalPerson objects under ou=finance,o=myorg
798 with common names bob, alice, john, robin, and guest, then the output
799 of a base-scope LDAP search at cn=dg1,o=myorg, with the attribute
800 list containing 'member' will be as follows:
804 member: cn=admin,o=myorg
806 member: cn=bob,ou=finance,o=myorg
808 member: cn=alice,ou=finance,o=myorg
810 member: cn=john,ou=finance,o=myorg
812 6.1.3. 'Is Member Of' functionality
814 The LDAP compare operation allows one to discover whether a given DN
815 is in the membership list of a dynamic group. Again, the server
816 SHOULD produce consistent results among different authorization
817 identities when processing this request, as long as those identities
818 have the same access to the member or uniqueMember attribute. Using
819 the data from the example in Section 6.1.2, a compare on
820 cn=dg1,o=myorg, for the AVA member=cn=bob,ou=finance,o=myorg would
821 result in a response of compareTrue (assuming the bound identity was
822 authorized to compare the member attribute of cn=dg1,o=myorg).
824 Likewise, a search operation that contains an equalityMatch or
825 presence filter, naming the member or uniqueMember attribute as the
826 attribute (such as (member= cn=bob,ou=finance,o=myorg), or
827 (member=*)), will cause the server to evaluate this filter against
828 the rules given in Section 4.2.1.3 in the event that the search is
829 performed on a dynamic group object. As of this writing, no other
830 matching rules exist for the distinguished name syntax, thus no
831 requirements beyond equalityMatch are given here.
839 Haripriya, et al. Expires July 9, 2007 [Page 15]
841 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
846 The following new extensions are added for dynamic group support.
848 6.2.1. Managing the static members of a dynamic group
850 Because a dynamic group overloads the semantics of the member and
851 uniqueMember attributes, a mechanism is needed to retrieve the static
852 values found in these attributes for management purposes. To serve
853 this need, a new attribute option is defined here called 'x-static'.
854 Attribute options are discussed in Section 2.5 of [2]. This option
855 SHALL only be specified with the 'member' or 'uniqueMember'
856 attribute. When the LDAP server does not understand the semantics of
857 this option on a given attribute, the option SHOULD be ignored. This
858 attribute option is only used to affect the transmitted values, and
859 does not impose sub-typing semantics on the attribute.
861 This option MAY be specified by a client during a search request in
862 the list of attributes to be returned, i.e. member;x-static. In this
863 case, the server SHALL only return those members of the dynamic group
864 that are statically listed as values of the member or uniqueMember
865 attribute. The evaluation process listed in Section 9 SHALL NOT be
866 used to populate the values to be returned.
868 This option MAY be specified is either an equalityMatch or presence
869 search filter. In this case, the server evaluates only the values
870 statically listed in the member or uniqueMember attribute, and does
871 not apply the evaluation process listed in Section 9.
873 This option MAY be specified in update operations such as add and
874 modify, but SHOULD be ignored, as its presence is semantically the
875 same as its non-presence.
877 Note to user: Performing a search to read a dynamic group, with a
878 filter item such as (member=*), and specifying member;x-static, may
879 result in a search result entry that has no member attribute. This
880 may seem counter-intuitive.
895 Haripriya, et al. Expires July 9, 2007 [Page 16]
897 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
900 7. Performance Considerations
902 When the x-chain extension is present on the memberQueryURL, the
903 server MUST follow any search continuation references to other
904 servers while searching for dynamic members. This may be expensive
905 and slow in a true distributed environment. The dynamicGroup
906 implementation can consider a distributed caching feature to improve
907 the performance. An outline of such a distributed caching is given
910 7.1. Caching of Dynamic Members
912 Since the dynamic members of a group are computed every time the
913 group is accessed, the performance could be affected. An
914 implementation of dynamic groups can get around this problem by
915 caching the computed members of a dynamic group locally and using the
916 cached data subsequently. One way to do this is to create pseudo-
917 objects for each dynamic group on every server that holds an object
918 that is a dynamic member of the group. With this, the computation of
919 the dynamic members of a group reduces to the task of reading the
920 pseudo-objects from each server. These pseudo-objects need to be
921 linked from the original dynamic group to speed up the member
922 computation. Also, since these are cached objects, appropriate
923 timeouts need to be associated with the cache after which the cache
924 should be invalidated or refreshed
951 Haripriya, et al. Expires July 9, 2007 [Page 17]
953 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
956 8. Security Considerations
958 This document discusses the use of one object as the identity
959 (Section 4.5) with which to read information for another object. If
960 the creation of the dgIdentity attribute is uncontrolled, an intruder
961 could potentially create a dynamic group with the identity of, say,
962 the administrator, to be able to read the directory as the
963 administrator, and see information which would be otherwise
964 unavailable to him. Thus, a person adding an object as identity of a
965 dynamic group should have appropriate permissions on the object being
968 This document also discusses using dynamic memberships to provide
969 access for resources in a directory. As the dynamic members are not
970 created by the administrator, there could be surprises for the
971 administrator in the form of certain objects getting access to
972 certain resources through dynamic membership, which the administrator
973 never intended. So the administrator should be wary of such
974 problems. The administrator could view the memberships and make sure
975 that anybody who is not supposed to be a member of a group is added
976 to the excludedMember list.
978 Denial of service attacks can be launched on an LDAP server, by
979 repeatedly searching for a dynamic group with a large membership list
980 and listing the member attribute. A more effective form of denial of
981 service attack could be launched by making searches of the form
982 (member="somedn") at the top of tree and closing the client
983 connection as soon as the search starts. Some administrative limits
984 be imposed to avoid such situations.
986 The dynamic groups feature could be potentially misused by a user to
987 circumvent any administrative size-limit restriction placed on the
988 server. In order to search an LDAP server and obtain the names of
989 all the objects on the server irrespective of admin size-limit
990 restriction on the server, the LDAP user could create a dynamic group
991 with a memberQueryURL which matches all objects in the tree, and list
992 just that one object.
1007 Haripriya, et al. Expires July 9, 2007 [Page 18]
1009 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1012 9. IANA Considerations
1014 There are no IANA considerations.
1063 Haripriya, et al. Expires July 9, 2007 [Page 19]
1065 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1070 This document discusses the syntax, semantics and usage of dynamic
1119 Haripriya, et al. Expires July 9, 2007 [Page 20]
1121 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1124 11. Normative References
1126 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
1127 Levels", BCP 14, RFC 2119, March 1997.
1129 [2] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP):
1130 Directory Information Models", RFC 4512, June 2006.
1132 [3] Smith, M. and T. Howes, "Lightweight Directory Access Protocol
1133 (LDAP): Uniform Resource Locator", RFC 4516, June 2006.
1135 [4] Sciberras, A., "Lightweight Directory Access Protocol (LDAP):
1136 Schema for User Applications", RFC 4519, June 2006.
1175 Haripriya, et al. Expires July 9, 2007 [Page 21]
1177 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1180 Appendix A. Example Values for memberQueryURL
1182 1. This memberQueryURL value specifies the membership criteria for a
1183 dynamic group entry as "all inetorgperson entries that also have
1184 their title attribute set to 'manager', and are in the DIT-wide
1185 subtree under ou=hr,o=myorg ".
1187 memberQueryURL: ldap:///
1188 ou=hr,o=myorg??sub?(&
1189 (objectclass=inetorgperson)(title=manager))? x-chain
1191 2. This value lets the user specify the membership criteria for a
1192 dynamic group entry as "all entries on the local server, that
1193 either have unix accounts or belong to the unix department, and
1194 are under the engineering container ".
1196 memberQueryURL: ldap:///ou=eng,o=myorg??sub?
1197 (|(objectclass=posixaccount)(department=unix))
1199 3. These values let the user specify the membership criteria as "all
1200 inetorgperson entries on the local server, in either the
1201 ou=eng,o=myorg or ou=support,o=myorg" subtrees.
1204 ldap:///ou=eng,o=myorg??sub?(objectclass=inetorgperson)
1207 ldap:///ou=support,o=myorg??sub?(objectclass=inetorgperson)
1231 Haripriya, et al. Expires July 9, 2007 [Page 22]
1233 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1236 Appendix B. Acknowledgments
1238 Funding for the RFC Editor function is currently provided by the
1287 Haripriya, et al. Expires July 9, 2007 [Page 23]
1289 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1296 49/1 & 49/3 Garvebhavi Palya,
1297 7th Mile, Hosur Road
1298 Bangalore, Karnataka 560068
1301 Email: sharipriya@novell.com
1304 Jaimon Jose (editor)
1306 49/1 & 49/3 Garvebhavi Palya,
1307 7th Mile, Hosur Road
1308 Bangalore, Karnataka 560068
1311 Email: jjaimon@novell.com
1316 1800 South Novell Place
1320 Email: jimse@novell.com
1343 Haripriya, et al. Expires July 9, 2007 [Page 24]
1345 Internet-Draft LDAP: Dynamic Groups for LDAPv3 January 2007
1348 Full Copyright Statement
1350 Copyright (C) The Internet Society (2007).
1352 This document is subject to the rights, licenses and restrictions
1353 contained in BCP 78, and except as set forth therein, the authors
1354 retain all their rights.
1356 This document and the information contained herein are provided on an
1357 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1358 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
1359 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
1360 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
1361 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1362 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1365 Intellectual Property
1367 The IETF takes no position regarding the validity or scope of any
1368 Intellectual Property Rights or other rights that might be claimed to
1369 pertain to the implementation or use of the technology described in
1370 this document or the extent to which any license under such rights
1371 might or might not be available; nor does it represent that it has
1372 made any independent effort to identify any such rights. Information
1373 on the procedures with respect to rights in RFC documents can be
1374 found in BCP 78 and BCP 79.
1376 Copies of IPR disclosures made to the IETF Secretariat and any
1377 assurances of licenses to be made available, or the result of an
1378 attempt made to obtain a general license or permission for the use of
1379 such proprietary rights by implementers or users of this
1380 specification can be obtained from the IETF on-line IPR repository at
1381 http://www.ietf.org/ipr.
1383 The IETF invites any interested party to bring to its attention any
1384 copyrights, patents or patent applications, or other proprietary
1385 rights that may cover technology that may be required to implement
1386 this standard. Please address the information to the IETF at
1392 Funding for the RFC Editor function is provided by the IETF
1393 Administrative Support Activity (IASA).
1399 Haripriya, et al. Expires July 9, 2007 [Page 25]
projects / openldap / blob