8 draft-legg-ldap-acm-admin-01.txt Adacel Technologies
9 Intended Category: Standards Track September 18, 2002
12 Access Control Administration in LDAP
14 Copyright (C) The Internet Society (2002). All Rights Reserved.
19 This document is an Internet-Draft and is in full conformance with
20 all provisions of Section 10 of RFC2026.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress".
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 Distribution of this document is unlimited. Comments should be sent
39 to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
42 This Internet-Draft expires on 18 March 2003.
47 This document adapts the X.500 directory administrative model, as it
48 pertains to access control administration, for use by the Lightweight
49 Directory Access Protocol. The administrative model partitions the
50 Directory Information Tree for various aspects of directory data
51 administration, e.g. subschema, access control and collective
52 attributes. This document provides the particular definitions that
53 support access control administration, but does not define a
54 particular access control scheme.
58 Legg Expires 18 March 2003 [Page 1]
60 INTERNET-DRAFT Access Control Administration September 18, 2002
63 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
64 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
65 document are to be interpreted as described in RFC 2119 [RFC2119].
70 1. Abstract .................................................... 1
71 2. Table of Contents ........................................... 2
72 3. Introduction ................................................ 2
73 4. Access Control Administrative Areas ......................... 3
74 5. Access Control Scheme Indication ............................ 3
75 6. Access Control Information .................................. 4
76 7. Access Control Subentries ................................... 4
77 8. Applicable Access Control Information ....................... 5
78 9. Security Considerations ..................................... 5
79 10. Acknowledgements ........................................... 6
80 11. Normative References ....................................... 6
81 12. Informative References ..................................... 6
82 13. Copyright Notice ........................................... 7
83 14. Author's Address ........................................... 7
88 This document adapts the X.500 directory administrative model [X501],
89 as it pertains to access control administration, for use by the
90 Lightweight Directory Access Protocol (LDAP) [RFC2251].
92 The administrative model [ADMIN] partitions the Directory Information
93 Tree (DIT) for various aspects of directory data administration, e.g.
94 subschema, access control and collective attributes. The parts of
95 the administrative model that apply to every aspect of directory data
96 administration are described in [ADMIN]. This document describes the
97 administrative framework for access control.
99 An access control scheme describes the means by which access to
100 directory information, and potentially to access rights themselves,
101 may be controlled. This document describes the framework for
102 employing access control schemes but does not define a particular
103 access control scheme. Two access control schemes known as Basic
104 Access Control and Simplified Access Control are defined by [BAC].
105 Other access control schemes MAY be defined by other documents.
107 Schema definitions are provided using LDAP description formats
108 [RFC2252]. Note that the LDAP descriptions have been rendered with
109 additional white-space and line breaks for the sake of readability.
114 Legg Expires 18 March 2003 [Page 2]
116 INTERNET-DRAFT Access Control Administration September 18, 2002
119 This document is derived from, and duplicates substantial portions
120 of, Sections 4 and 8 of [X501].
123 4. Access Control Administrative Areas
125 The specific administrative area [ADMIN] for access control is termed
126 an Access Control Specific Area (ACSA). The root of the ACSA is
127 termed an Access Control Specific Point (ACSP) and is represented in
128 the DIT by an administrative entry [ADMIN] which includes
129 accessControlSpecificArea as a value of its administrativeRole
130 operational attribute [SUBENTRY].
132 An ACSA MAY be partitioned into subtrees termed inner administrative
133 areas [ADMIN]. Each such inner area is termed an Access Control
134 Inner Area (ACIA). The root of the ACIA is termed an Access Control
135 Inner Point (ACIP) and is represented in the DIT by an administrative
136 entry which includes accessControlInnerArea as a value of its
137 administrativeRole operational attribute.
139 An administrative entry can never be both an ACSP and an ACIP. The
140 corresponding values can therefore never be present simultaneously in
141 the administrativeRole attribute.
143 Each entry necessarily falls within one and only one ACSA. Each such
144 entry may also fall within one or more ACIAs nested inside the ACSA
145 containing the entry.
147 An ACSP or ACIP has zero, one or more subentries that contain Access
148 Control Information (ACI).
151 5. Access Control Scheme Indication
153 The access control scheme (e.g. Basic Access Control [BAC]) in force
154 in an ACSA is indicated by the accessControlScheme operational
155 attribute contained in the administrative entry for the relevant
158 The LDAP description [RFC2252] for the accessControlScheme
159 operational attribute is:
161 ( 2.5.24.1 NAME 'accessControlScheme'
162 EQUALITY objectIdentifierMatch
163 SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
164 SINGLE-VALUE USAGE directoryOperation )
166 An access control scheme conforming to the access control framework
170 Legg Expires 18 March 2003 [Page 3]
172 INTERNET-DRAFT Access Control Administration September 18, 2002
175 described in this document MUST define a distinct OBJECT IDENTIFIER
176 value to identify it through the accessControlScheme attribute.
178 Only administrative entries for ACSPs are permitted to contain an
179 accessControlScheme attribute. If the accessControlScheme attribute
180 is absent from a given ACSP, the access control scheme in force in
181 the corresponding ACSA, and its effect on operations, results and
182 errors, is implementation defined.
184 Any entry or subentry in an ACSA is permitted to contain ACI if and
185 only if such ACI is permitted by, and consistent with, the access
186 control scheme identified by the value of the accessControlScheme
187 attribute of the ACSP.
190 6. Access Control Information
192 There are three categories of Access Control Information (ACI):
193 entry, subentry and prescriptive.
195 Entry ACI applies to only the entry or subentry in which it appears,
196 and the contents thereof. Subject to the access control scheme, any
197 entry or subentry MAY hold entry ACI.
199 Subentry ACI applies to only the subentries of the administrative
200 entry in which it appears. Subject to the access control scheme, any
201 administrative entry, for any aspect of administration, MAY hold
204 Prescriptive ACI applies to all the entries within a subtree or
205 subtree refinement of an administrative area (either an ACSA or an
206 ACIA), as defined by the subtreeSpecification attribute of the
207 subentry in which it appears. Prescriptive ACI is only permitted in
208 subentries of an ACSP or ACIP. Prescriptive ACI in the subentries of
209 a particular administrative point never applies to the same or any
210 other subentry of that administrative point, but does apply to the
211 subentries of subordinate administrative points, where those
212 subentries are within the subtree or subtree refinement.
215 7. Access Control Subentries
217 Each subentry which contains prescriptive ACI MUST have
218 accessControlSubentry as a value of its objectClass attribute. Such
219 a subentry is called an access control subentry.
221 The LDAP description [RFC2252] for the accessControlSubentry
222 auxiliary object class is:
226 Legg Expires 18 March 2003 [Page 4]
228 INTERNET-DRAFT Access Control Administration September 18, 2002
231 ( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY )
233 A subentry of this object class MUST contain at least one
234 prescriptive ACI attribute of a type consistent with the value of the
235 accessControlScheme attribute of the corresponding ACSP.
237 The subtree or subtree refinement for an access control subentry is
238 termed a Directory Access Control Domain (DACD). A DACD can contain
239 zero entries, and can encompass entries that have not yet been added
240 to the DIT, but does not extend beyond the scope of the ACSA or ACIA
241 with which it is associated.
243 Since a subtreeSpecification may define a subtree refinement, DACDs
244 within a given ACSA may arbitrarily overlap.
247 8. Applicable Access Control Information
249 Although particular items of ACI may specify attributes or values as
250 the protected items, ACI is logically associated with entries.
252 The ACI that is considered in access control decisions regarding an
255 (1) Entry ACI from that particular entry.
257 (2) Prescriptive ACI from access control subentries whose DACDs
258 contain the entry. Each of these access control subentries is
259 necessarily either a subordinate of the ACSP for the ACSA
260 containing the entry, or a subordinate of the ACIP for an ACIA
261 that contains the entry.
263 The ACI that is considered in access control decisions regarding a
266 (1) Entry ACI from that particular subentry.
268 (2) Prescriptive ACI from access control subentries whose DACDs
269 contain the subentry, excluding those belonging to the same
270 administrative point as the subentry for which the decision is
273 (3) Subentry ACI from the administrative point associated with the
277 9. Security Considerations
282 Legg Expires 18 March 2003 [Page 5]
284 INTERNET-DRAFT Access Control Administration September 18, 2002
287 This document defines a framework for employing an access control
288 scheme, i.e. the means by which access to directory information and
289 potentially to access rights themselves may be controlled, but does
290 not itself define any particular access control scheme. The degree
291 of protection provided, and any security risks, are determined by the
292 provisions of the access control schemes (defined elsewhere) making
293 use of this framework.
295 Security considerations that apply to directory administration in
296 general [ADMIN] also apply to access control administration.
301 This document is derived from, and duplicates substantial portions
302 of, Sections 4 and 8 of [X501].
305 11. Normative References
307 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
308 Requirement Levels", BCP 14, RFC 2119, March 1997.
310 [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
311 Access Protocol (v3)", RFC 2251, December 1997.
313 [RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
314 "Lightweight Directory Access Protocol (v3): Attribute
315 Syntax Definitions", RFC 2252, December 1997.
317 [ADMIN] Legg, S., "Directory Administrative Model in LDAP",
318 draft-legg-ldap-admin-xx.txt, a work in progress,
321 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
322 draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
326 12. Informative References
328 [BAC] Legg, S., "Basic and Simplified Access Control in LDAP",
329 draft-legg-ldap-acm-bac-xx.txt, a work in progress,
332 [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
333 draft-zeilenga-ldap-collective-xx.txt, a work in progress,
338 Legg Expires 18 March 2003 [Page 6]
340 INTERNET-DRAFT Access Control Administration September 18, 2002
343 [X501] ITU-T Recommendation X.501 (02/2001), Information
344 technology - Open Systems Interconnection - The Directory:
350 Copyright (C) The Internet Society (2002). All Rights Reserved.
352 This document and translations of it may be copied and furnished to
353 others, and derivative works that comment on or otherwise explain it
354 or assist in its implementation may be prepared, copied, published
355 and distributed, in whole or in part, without restriction of any
356 kind, provided that the above copyright notice and this paragraph are
357 included on all such copies and derivative works. However, this
358 document itself may not be modified in any way, such as by removing
359 the copyright notice or references to the Internet Society or other
360 Internet organizations, except as needed for the purpose of
361 developing Internet standards in which case the procedures for
362 copyrights defined in the Internet Standards process must be
363 followed, or as required to translate it into languages other than
366 The limited permissions granted above are perpetual and will not be
367 revoked by the Internet Society or its successors or assigns.
369 This document and the information contained herein is provided on an
370 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
371 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
372 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
373 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
374 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
380 Adacel Technologies Ltd.
381 405-409 Ferntree Gully Road
382 Mount Waverley, Victoria 3149
385 Phone: +61 3 9451 2107
387 EMail: steven.legg@adacel.com.au
390 15. Appendix A - Changes From Previous Drafts
394 Legg Expires 18 March 2003 [Page 7]
396 INTERNET-DRAFT Access Control Administration September 18, 2002
399 15.1 Changes in Draft 01
401 Section 4 has been extracted to become a separate Internet draft,
402 draft-legg-ldap-admin-00.txt. The subsections of Section 5 have
403 become the new Sections 4 to 8. Editorial changes have been made to
404 accommodate this split. No technical changes have been introduced.
450 Legg Expires 18 March 2003 [Page 8]