8 draft-legg-ldap-acm-bac-02.txt Adacel Technologies
9 Intended Category: Standards Track February 25, 2003
13 Basic and Simplified Access Control in LDAP
15 Copyright (C) The Internet Society (2003). All Rights Reserved.
20 This document is an Internet-Draft and is in full conformance with
21 all provisions of Section 10 of RFC2026.
23 Internet-Drafts are working documents of the Internet Engineering
24 Task Force (IETF), its areas, and its working groups. Note that
25 other groups may also distribute working documents as
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than as "work in progress".
33 The list of current Internet-Drafts can be accessed at
34 http://www.ietf.org/ietf/1id-abstracts.txt
36 The list of Internet-Draft Shadow Directories can be accessed at
37 http://www.ietf.org/shadow.html.
39 Distribution of this document is unlimited. Comments should be sent
40 to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
43 This Internet-Draft expires on 25 August 2003.
48 An access control scheme describes the means by which access to
49 directory information and potentially to access rights themselves may
50 be controlled. This document adapts the X.500 directory Basic Access
51 Control and Simplied Access Control schemes for use by the
52 Lightweight Directory Access Protocol.
58 Legg Expires 25 August 2003 [Page 1]
60 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
65 1. Abstract ...................................................... 1
66 2. Table of Contents ............................................. 2
67 3. Introduction .................................................. 3
68 4. Conventions ................................................... 3
69 5. Basic Access Control .......................................... 4
70 5.1 Permissions ............................................... 5
71 5.1.1 Read ................................................. 5
72 5.1.2 Compare .............................................. 6
73 5.1.3 Browse ............................................... 6
74 5.1.4 ReturnDN ............................................. 6
75 5.1.5 FilterMatch .......................................... 6
76 5.1.6 Modify ............................................... 6
77 5.1.7 Add .................................................. 7
78 5.1.8 Remove ............................................... 7
79 5.1.9 DiscloseOnError ...................................... 7
80 5.1.10 Rename .............................................. 7
81 5.1.11 Export .............................................. 8
82 5.1.12 Import .............................................. 8
83 5.1.13 Invoke .............................................. 8
84 5.2 Representation of Access Control Information .............. 8
85 5.2.1 Identification Tag ................................... 11
86 5.2.2 Precedence ........................................... 11
87 5.2.3 Authentication Level ................................. 12
88 5.2.4 itemFirst and userFirst Components ................... 13
89 5.2.5 Determining Group Membership ......................... 16
90 5.3 ACI Operational Attributes ................................ 17
91 5.3.1 Prescriptive ACI ..................................... 17
92 5.3.2 Entry ACI ............................................ 18
93 5.3.3 Subentry ACI ......................................... 18
94 5.3.4 Protecting the ACI ................................... 18
95 5.4 Access Control Decision Points for LDAP Operations ........ 19
96 5.4.1 Common Elements of Procedure ......................... 19
97 5.4.1.1 Alias Dereferencing ............................. 19
98 5.4.1.2 Return of Names in Errors ....................... 20
99 5.4.1.3 Non-disclosure of the Existence of an Entry ..... 20
100 5.4.2 Compare Operation Decision Points .................... 21
101 5.4.3 Search Operation Decision Points ..................... 21
102 5.4.4 Add Operation Decision Points ........................ 24
103 5.4.5 Delete Operation Decision Points ..................... 25
104 5.4.6 Modify Operation Decision Points ..................... 25
105 5.4.7 Modify DN Operation Decision Points .................. 26
106 5.5 Access Control Decision Function .......................... 27
107 5.5.1 Inputs ............................................... 27
108 5.5.2 Tuples ............................................... 27
109 5.5.3 Discarding Irrelevant Tuples ......................... 28
110 5.5.4 Highest Precedence and Specificity ................... 29
114 Legg Expires 25 August 2003 [Page 2]
116 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
119 6. Simplified Access Control ..................................... 29
120 7. Security Considerations ....................................... 30
121 8. Acknowledgements .............................................. 30
122 9. IANA Considerations ........................................... 30
123 10. Normative References ......................................... 31
124 11. Informative References ....................................... 32
125 12. Copyright Notice ............................................. 33
126 13. Author's Address ............................................. 33
127 Appendix A. LDAP Specific Encoding for the ACI Item Syntax ....... 33
132 An access control scheme describes the means by which access to
133 directory information and potentially to access rights themselves may
134 be controlled. Control of access to information means the prevention
135 of unauthorized detection, disclosure, or modification of that
136 information. The definition of an access control scheme in the
137 context of a Lightweight Directory Access Protocol (LDAP) [RFC3371]
138 directory includes methods to specify Access Control Information
139 (ACI), and to enforce access rights defined by that ACI.
141 This document adapts the X.500 Basic Access Control and Simplied
142 Access Control schemes [X501] for use in LDAP. Both schemes conform
143 to, and make use of, the access control administrative framework
146 Section 5 describes the Basic Access Control scheme and defines how
147 it applies to LDAP operations [RFC2251].
149 Simplified Access Control is a functional subset of the Basic Access
150 Control scheme. This subset is described in Section 6.
152 As a matter of security policy, an implementation supporting Basic
153 Access Control or Simplified Access Control is permitted to grant or
154 deny any form of access to particular attributes (e.g. password
155 attributes) irrespective of access controls which may otherwise
156 apply. However, since such security policy has no standardized
157 representation, it cannot be propagated in replicated information.
159 This document is derived from, and duplicates substantial portions
160 of, Section 8 of [X501], and selected extracts from [X511].
164 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
165 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
166 document are to be interpreted as described in RFC 2119 [RFC2119].
170 Legg Expires 25 August 2003 [Page 3]
172 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
175 Schema definitions are provided using LDAP description formats
176 [RFC2252]. Note that the LDAP descriptions have been rendered with
177 additional white-space and line breaks for the sake of readability.
180 5. Basic Access Control
182 This section describes the functionality of the Basic Access Control
185 When Basic Access Control is used, the accessControlScheme
186 operational attribute [ACA] SHALL have the value basic-access-control
189 This LDAP profile for Basic Access Control defines, for every LDAP
190 operation, one or more points at which access control decisions take
191 place. An access control decision will involve a requestor,
192 protected items, and permissions.
194 A requestor is the user requesting the operation. Basic Access
195 Control requires a user's authorization identity to be represented as
196 a distinguished name (with an optional unique identifier). The
197 mapping of the authentication identity to an authorization identity,
198 and the mapping of the authorization identity to a distinguished name
199 and optional unique identifier, are outside the scope of this
202 A protected item is the element of directory information being
203 accessed. The protected items are entries, attributes, attribute
204 values and distinguished names. Access to each protected item can be
205 separately controlled through ACI.
207 A permission is a particular right necessary to complete a portion of
210 The Access Control Information, which is used to make access control
211 decisions, associates protected items and user classes with
212 permissions. ACI is represented in the directory as values of
213 operational attributes with the ACI Item syntax [RFC2252]. Each such
214 value is referred to as an ACI item.
216 The scope of access controls can be a single entry or a collection of
217 entries that are logically related by being within the scope of an
218 access control subentry of an administrative point (see [ACA]).
220 The Access Control Decision Function (ACDF) (Section 5.5) is used to
221 decide whether a particular requestor has a particular access right
222 by virtue of applicable ACI items.
226 Legg Expires 25 August 2003 [Page 4]
228 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
231 Access to DSEs and operational attributes is controlled in the same
232 way as for entries and user attributes.
234 For query purposes, collective attributes [COLLECT] that are
235 associated with an entry are protected precisely as if they were
236 attributes actually stored in that entry.
238 For the purposes of modification, collective attributes are
239 associated with the subentry that holds them, not with entries within
240 the scope of the subentry. Modify-related access controls are
241 therefore not relevant to collective attributes, except when they
242 apply to the collective attribute and its values within the subentry.
247 Access is controlled by granting or denying permissions. Access is
248 allowed only when there is an explicitly provided grant present in
249 the ACI used to make the access control decision. The only default
250 access decision provided in the model is to deny access in the
251 absence of explicit ACI that grants access. All other factors being
252 equal, a denial specified in ACI always overrides a grant.
254 Certain combinations of grants or denials are illogical, but it is
255 the responsibility of directory clients, rather than the directory
256 server, to ensure that such combinations are absent.
258 The decision whether or not to permit access to an entry or its
259 contents is strictly determined by the position of the entry in the
260 Directory Information Tree (DIT), in terms of its distinguished name,
261 and is independent of how the directory server locates that entry.
263 The following sections introduce the permissions by indicating the
264 intent associated with the granting of each. The actual influence of
265 a particular granted permission on access control decisions are,
266 however, determined by the ACDF and the access control decision
267 points for each LDAP operation, described in detail in Section 5.4.
272 If granted for an entry, Read permits the entry to be accessed using
273 LDAP Compare and baseObject Search operations, but does not imply
274 access to all the attributes and values.
276 If granted for an attribute type, Read permits the attribute type to
277 be returned as entry information in a Search result. Read or Browse
278 permission for the entry is a prerequisite.
282 Legg Expires 25 August 2003 [Page 5]
284 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
287 If granted for an attribute value, Read permits the attribute value
288 to be returned as entry information in a Search result. Read or
289 Browse permission for the entry and Read permission for the attribute
290 type are prerequisites.
295 If granted for an attribute type, Compare permits the attribute type
296 to be tested by the assertion in an LDAP Compare operation. Read
297 permission for the entry is a prerequisite.
299 If granted for an attribute value, Compare permits the value to be
300 tested by the assertion in an LDAP Compare operation. Read
301 permission for the entry and Compare permission for the attribute
302 type are prerequisites.
307 If granted for an entry, Browse permits the entry to be accessed by
308 the LDAP Search operation, including baseObject searches, but does
309 not imply access to all the attributes and values.
314 If granted for an entry, ReturnDN allows the distinguished name of
315 the entry to be disclosed in a search result.
320 If granted for an attribute type, Filtermatch permits the attribute
321 type to satisfy a Filter item.
323 If granted for an attribute value, Filtermatch permits the attribute
324 value to satisfy a Filter item. FilterMatch permission for the
325 attribute type is a prerequisite.
330 If granted for an entry, Modify permits the information contained
331 within an entry to be modified by the LDAP Modify operation, subject
332 to controls on the attribute types and values.
338 Legg Expires 25 August 2003 [Page 6]
340 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
345 If granted for an entry, Add permits creation of an entry in the DIT,
346 subject to being able to add all specified attributes and attribute
347 values. Add permission granted for an entry is ineffective if Add
348 permission is not also granted for at least the mandatory attributes
349 and their values. There is no specific "add subordinate permission".
350 Permission to add an entry is controlled using prescriptive ACI.
352 If granted for an attribute type, Add permits adding a new attribute,
353 subject to being able to add all specified attribute values. Add or
354 Modify permission for the entry is a prerequisite.
356 If granted for an attribute value, Add permits adding that value to
357 an existing attribute. Add or Modify permission for the entry is a
363 If granted for an entry, Remove permits the entry to be removed from
364 the DIT regardless of controls on attributes or attribute values
367 If granted for an attribute, Remove permits removing an attribute,
368 subject to being able to remove any explicitly specified attribute
369 values. Remove permission for values not explicitly specified is not
372 If granted for an attribute value, Remove permits the attribute value
373 to be removed from an existing attribute.
376 5.1.9 DiscloseOnError
378 If granted for an entry, DiscloseOnError permits the name of an entry
379 to be disclosed in an error result.
381 If granted for an attribute, DiscloseOnError permits the presence of
382 the attribute to be disclosed by an error.
384 If granted for an attribute value, DiscloseOnError permits the
385 presence of the attribute value to be disclosed by an error.
390 If granted for an entry, Rename permits an entry to be renamed with a
394 Legg Expires 25 August 2003 [Page 7]
396 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
399 new RDN. No permissions are required for the attributes and values
400 altered by the operation, even if they are added or removed as a
401 result of the changes to the RDN.
406 If granted for an entry, Export permits the entry and its
407 subordinates, if any, to be removed from the current location and
408 placed in a new location, subject to the granting of Import
409 permission at the destination.
411 If the last RDN is changed, Rename permission at the current location
417 If granted for an entry, Import permits an entry and its
418 subordinates, if any, to be placed at the location to which the
419 permission applies, subject to the granting of Export permission at
425 Invoke, if granted for an operational attribute, or value thereof,
426 permits the directory server to carry out some function associated
427 with the operational attribute on behalf of the user. The specific
428 function carried out by invocation depends on the attribute. No
429 other permissions are required by user for the operational attribute,
430 or on the entry/subentry that holds it, in order for it to be
434 5.2 Representation of Access Control Information
436 Access Control Information is represented as a set of ACI items,
437 where each ACI item grants or denies permissions in regard to certain
438 specified users and protected items.
440 An ACI item is represented as a value of an operational attribute
441 with the ACI Item syntax (1.3.6.1.4.1.1466.115.121.1.1) [RFC2252].
443 This document updates [RFC2252] by specifying a human-readable
444 LDAP-specific encoding for ACI items. The LDAP-specific encoding of
445 values of the ACI Item syntax is defined by the Generic String
446 Encoding Rules described in [GSER]. Appendix A provides an
450 Legg Expires 25 August 2003 [Page 8]
452 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
455 equivalent ABNF for this syntax.
457 For convenience in specifying access control policies, the ACI Item
458 syntax provides the means to identify collections of related items,
459 such as attributes in an entry or all attribute values of a given
460 attribute, and to specify a common protection for them.
462 The ACI Item syntax corresponds to the ACIItem ASN.1 type defined in
463 [X501]. It is reproduced here for convenience:
465 ACIItem ::= SEQUENCE {
466 identificationTag DirectoryString { ub-tag },
467 precedence Precedence,
468 authenticationLevel AuthenticationLevel,
469 itemOrUserFirst CHOICE {
470 itemFirst [0] SEQUENCE {
471 protectedItems ProtectedItems,
472 itemPermissions SET OF ItemPermission },
473 userFirst [1] SEQUENCE {
474 userClasses UserClasses,
475 userPermissions SET OF UserPermission } } }
477 Precedence ::= INTEGER (0..255)
479 ProtectedItems ::= SEQUENCE {
480 entry [0] NULL OPTIONAL,
481 allUserAttributeTypes [1] NULL OPTIONAL,
482 attributeType [2] SET SIZE (1..MAX) OF
483 AttributeType OPTIONAL,
484 allAttributeValues [3] SET SIZE (1..MAX) OF
485 AttributeType OPTIONAL,
486 allUserAttributeTypesAndValues [4] NULL OPTIONAL,
487 attributeValue [5] SET SIZE (1..MAX) OF
488 AttributeTypeAndValue OPTIONAL,
489 selfValue [6] SET SIZE (1..MAX) OF
490 AttributeType OPTIONAL,
491 rangeOfValues [7] Filter OPTIONAL,
492 maxValueCount [8] SET SIZE (1..MAX) OF
493 MaxValueCount OPTIONAL,
494 maxImmSub [9] INTEGER OPTIONAL,
495 restrictedBy [10] SET SIZE (1..MAX) OF
496 RestrictedValue OPTIONAL,
497 contexts [11] SET SIZE (1..MAX) OF
498 ContextAssertion OPTIONAL,
499 classes [12] Refinement OPTIONAL }
501 MaxValueCount ::= SEQUENCE {
506 Legg Expires 25 August 2003 [Page 9]
508 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
513 RestrictedValue ::= SEQUENCE {
515 valuesIn AttributeType }
517 UserClasses ::= SEQUENCE {
518 allUsers [0] NULL OPTIONAL,
519 thisEntry [1] NULL OPTIONAL,
520 name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
521 userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,
522 -- dn component shall be the name of an
523 -- entry of GroupOfUniqueNames
524 subtree [4] SET SIZE (1..MAX) OF
525 SubtreeSpecification OPTIONAL }
527 NameAndOptionalUID ::= SEQUENCE {
528 dn DistinguishedName,
529 uid UniqueIdentifier OPTIONAL }
531 UniqueIdentifier ::= BIT STRING
533 ItemPermission ::= SEQUENCE {
534 precedence Precedence OPTIONAL,
535 -- defaults to precedence in ACIItem
536 userClasses UserClasses,
537 grantsAndDenials GrantsAndDenials }
539 UserPermission ::= SEQUENCE {
540 precedence Precedence OPTIONAL,
541 -- defaults to precedence in ACIItem
542 protectedItems ProtectedItems,
543 grantsAndDenials GrantsAndDenials }
545 AuthenticationLevel ::= CHOICE {
546 basicLevels SEQUENCE {
547 level ENUMERATED { none(0), simple(1), strong(2) },
548 localQualifier INTEGER OPTIONAL,
549 signed BOOLEAN DEFAULT FALSE },
552 GrantsAndDenials ::= BIT STRING {
553 -- permissions that may be used in conjunction
554 -- with any component of ProtectedItems
557 grantDiscloseOnError (2),
558 denyDiscloseOnError (3),
562 Legg Expires 25 August 2003 [Page 10]
564 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
571 -- permissions that may be used only in conjunction
572 -- with the entry component
585 -- permissions that may be used in conjunction
586 -- with any component, except entry, of ProtectedItems
589 grantFilterMatch (22),
590 denyFilterMatch (23),
594 AttributeTypeAndValue ::= SEQUENCE {
595 type ATTRIBUTE.&id ({SupportedAttributes}),
596 value ATTRIBUTE.&Type ({SupportedAttributes}{@type}) }
598 The SubtreeSpecification and Refinement ASN.1 types are defined in
599 [X501], and separately described in [SUBENTRY].
601 The following sections describe the components of ACIItem.
604 5.2.1 Identification Tag
606 identificationTag is used to identify a particular ACI item. This is
607 used to discriminate among individual ACI items for the purposes of
608 protection and administration.
613 Precedence is used to control the relative order in which ACI items
614 are considered during the course of making an access control decision
618 Legg Expires 25 August 2003 [Page 11]
620 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
623 using the ACDF. ACI items having higher precedence values prevail
624 over others with lower precedence values, other factors being equal.
625 Precedence values are integers and are compared as such.
628 5.2.3 Authentication Level
630 AuthenticationLevel defines the minimum requestor authentication
631 level required for this ACI item. It has two forms:
633 1) basicLevels: which indicates the level of authentication,
634 optionally qualified by positive or negative integer
637 2) other: an externally defined measure.
639 When basicLevels is used, an AuthenticationLevel consisting of a
640 level and optional localQualifier SHALL be assigned to the requestor
641 by the directory server according to local policy. For a requestor's
642 authentication level to meet or exceed the minimum requirement, the
643 requestor's level must meet or exceed that specified in the ACI item,
644 and in addition the requestor's localQualifier must be arithmetically
645 greater than or equal to that of the ACI item. Strong authentication
646 of the requestor is considered to exceed a requirement for simple or
647 no authentication, and simple authentication exceeds a requirement
648 for no authentication. For access control purposes, the "simple"
649 authentication level requires at least a password; the case of
650 identification only, with no password supplied, is considered "none".
651 If a localQualifier is not specified in the ACI item, then the
652 requestor need not have a corresponding value (if such a value is
653 present it is ignored).
655 The signed component of basicLevels is ignored for LDAP.
657 When other is used, an appropriate AuthenticationLevel shall be
658 assigned to the requestor by the directory server according to local
659 policy. The form of this AuthenticationLevel and the method by which
660 it is compared with the AuthenticationLevel in the ACI is a local
663 An authentication level associated with an explicit grant indicates
664 the minimum level to which a requestor shall be authenticated in
665 order to be granted access.
667 An authentication level associated with an explicit deny indicates
668 the minimum level to which a requestor shall be authenticated in
669 order not to be denied access. For example, an ACI item that denies
670 access to a particular user class and requires strong authentication
674 Legg Expires 25 August 2003 [Page 12]
676 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
679 will deny access to all requestors who cannot prove, by means of a
680 strongly authenticated identity, that they are not in that user
683 The directory server may base authentication level on factors other
684 than values received in protocol exchanges.
687 5.2.4 itemFirst and userFirst Components
689 Each ACI item contains a choice of itemFirst or userFirst. The
690 choice allows grouping of permissions depending on whether they are
691 most conveniently grouped by user classes or by protected items. The
692 itemFirst and userFirst components are equivalent in the sense that
693 they capture the same access control information; however, they
694 organize that information differently. The choice between them is
695 based on administrative convenience. The subcomponents of itemFirst
696 and userFirst are described below.
698 a) ProtectedItems defines the items to which the specified access
699 controls apply. It is defined as a set selected from the
702 - entry means the entry contents as a whole. It does not
703 necessarily include the information in these entries. This
704 element SHALL be ignored if the classes component is present,
705 since this latter element selects protected entries on the basis
706 of their object class.
708 - allUserAttributeTypes means all user attribute type information
709 associated with the entry, but not values associated with those
712 - allUserAttributeTypesAndValues means all user attribute
713 information associated with the entry, including all values of
716 The allUserAttributeTypes and allUserAttributeTypesAndValues
717 components do not include operational attributes, which MUST be
718 specified on a per attribute basis, using attributeType,
719 allAttributeValues or attributeValue.
721 - attributeType means attribute type information pertaining to
722 specific attributes but not values associated with the type.
724 - allAttributeValues means all attribute value information
725 pertaining to specific attributes.
730 Legg Expires 25 August 2003 [Page 13]
732 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
735 - attributeValue means specific values of specific attribute
738 - selfValue means the attribute values of the specified attribute
739 types that match the distinguished name (and unique identifier)
740 of the requestor. It can only apply in the specific case where
741 the attribute specified is of DN syntax
742 (1.3.6.1.4.1.1466.115.121.1.12) or Name And Optional UID syntax
743 (1.3.6.1.4.1.1466.115.121.1.34) [RFC2252].
745 - rangeOfValues means any attribute value which matches the
746 specified filter, i.e. for which the specified filter evaluated
747 on that attribute value would return TRUE. The filter is not
748 evaluated on any entries in the DIB, rather it is evaluated
749 using the semantics defined in 7.8 of [X511], operating on a
750 fictitious entry that contains only the single attribute value
751 which is the protected item. Note that the filter is an X.500
752 search Filter. It has a different syntax from the LDAP search
753 Filter, but the same semantics.
755 The following items provide constraints that may disable the
756 granting of certain permissions to protected items in the same
757 value of ProtectedItems:
759 - maxValueCount restricts the maximum number of attribute values
760 allowed for a specified attribute type. It is examined if the
761 protected item is an attribute value of the specified type and
762 the permission sought is Add. Values of that attribute in the
763 entry are counted, without regard to attribute options and
764 access control, as though the operation which is attempting to
765 add the values is successful. If the number of values in the
766 attribute exceeds maxCount, the ACI item is treated as not
767 granting Add permission.
769 - maxImmSub restricts the maximum number of immediate subordinates
770 of the superior entry to an entry being added or imported. It
771 is examined if the protected item is an entry, the permission
772 sought is Add or Import, and the immediate superior entry is in
773 the same server as the entry being added or imported. Immediate
774 subordinates of the superior entry are counted, without regard
775 to access control, as though the entry addition or importing is
776 successful. If the number of subordinates exceeds maxImmSub,
777 the ACI item is treated as not granting Add or Import
780 - restrictedBy restricts values added to the attribute type to
781 being values that are already present in the same entry as
782 values of the attribute identified by the valuesIn component.
786 Legg Expires 25 August 2003 [Page 14]
788 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
791 It is examined if the protected item is an attribute value of
792 the specified type and the permission sought is Add. Values of
793 the valuesIn attribute are checked, without regard to attribute
794 options and access control, as though the operation which adds
795 the values is successful. If the value to be added is not
796 present in valuesIn the ACI item is treated as not granting Add
799 - contexts is not used in this version of the LDAP profile for
800 Basic Access Control.
802 - classes means the contents of entries that have object class
803 values that satisfy the predicate defined by Refinement (see
806 b) UserClasses defines a set of zero or more users the permissions
807 apply to. The set of users is selected from the following:
809 - allUsers means every directory user (with possible requirements
810 for AuthenticationLevel).
812 - thisEntry means the user with the same distinguished name as the
813 entry being accessed.
815 - name is the set of users with the specified distinguished names
816 (each with an optional unique identifier).
818 - userGroup is the set of users who are members of the groups
819 (i.e. groupOfNames or groupOfUniqueNames entries [RFC2256])
820 identified by the specified distinguished names (each with an
821 optional unique identifier). Members of a group of unique names
822 are treated as individual user distinguished names, and not as
823 the names of other groups of unique names. How group membership
824 is determined is described in 5.2.5.
826 - subtree is the set of users whose distinguished names fall
827 within the scope of the unrefined subtrees (specificationFilter
828 components SHOULD NOT be used - they SHALL be ignored if
831 c) SubtreeSpecification is used to specify a subtree relative to the
832 root DSE, and is not constrained by administrative areas. The
833 specificationFilter component SHOULD NOT be used. It SHALL be
836 A subtree refinement is not allowed because membership in a
837 subtree whose specification includes only base and/or a
838 ChopSpecification can be evaluated in isolation, whereas
842 Legg Expires 25 August 2003 [Page 15]
844 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
847 membership in a subtree definition using specificationFilter can
848 only be evaluated by obtaining information from the user's entry,
849 which is potentially in another directory server. Basic Access
850 Control is designed to avoid remote operations in the course of
851 making an access control decision.
853 d) ItemPermission contains a collection of users and their
854 permissions with respect to ProtectedItems within an itemFirst
855 specification. The permissions are specified in grantsAndDenials
856 as discussed in item f). Each of the permissions specified in
857 grantsAndDenials is considered to have the precedence level
858 specified in precedence for the purpose of the ACDF. If
859 precedence is omitted within ItemPermission, then precedence is
860 taken from the precedence specified for ACIItem.
862 e) UserPermission contains a collection of protected items and the
863 associated permissions with respect to userClasses within a
864 userFirst specification. The associated permissions are specified
865 in grantsAndDenials as discussed in item f). Each of the
866 permissions specified in grantsAndDenials is considered to have
867 the precedence level specified in precedence for the purpose of
868 the ACDF. If precedence is omitted within UserPermission, the
869 precedence is taken from the precedence specified for ACIItem.
871 f) GrantsAndDenials specify the access rights that are granted or
872 denied by the ACI item.
874 g) UniqueIdentifier may be used by the authentication mechanism to
875 distinguish between instances of distinguished name reuse. If
876 this component is present, then for a requestor's name to match
877 the UserClasses of an ACIItem that grants permissions, in addition
878 to the requirement that the requestor's distinguished name match
879 the specified distinguished name, the authentication of the
880 requestor shall yield an associated unique identifier, and that
881 value shall match for equality with the specified value.
884 5.2.5 Determining Group Membership
886 Determining whether a given requestor is a group member requires
887 checking two criteria. The determination may also be constrained if
888 the group definition is not known locally. The criteria for
889 membership and the treatment of non-local groups are discussed below.
891 a) A directory server is NOT REQUIRED to perform a remote operation
892 to determine whether the requestor belongs to a particular group
893 for the purposes of Basic Access Control. If membership in the
894 group cannot be evaluated, the server shall assume that the
898 Legg Expires 25 August 2003 [Page 16]
900 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
903 requestor does not belong to the group if the ACI item grants the
904 permission sought, and does belong to the group if it denies the
907 Access control administrators should beware of basing access
908 controls on membership of non-locally available groups or groups
909 which are available only through replication (and which may,
910 therefore, be out of date).
912 b) In order to determine whether the requestor is a member of a
913 userGroup user class, the following criteria apply:
915 - The entry named by the userGroup specification is an instance of
916 the object class groupOfNames or groupOfUniqueNames.
918 - The name of the requestor is a value of the member or
919 uniqueMember attribute of that entry.
921 Values of the member or uniqueMember attribute that do not match
922 the name of the requestor are ignored, even if they represent the
923 names of groups of which the originator could be found to be a
924 member. Hence, nested groups are not supported when evaluating
928 5.3 ACI Operational Attributes
930 ACI is stored as values of operational attributes of entries and
931 subentries. The operational attributes are multi-valued, which
932 allows ACI to be represented as a set of ACI items.
935 5.3.1 Prescriptive ACI
937 The prescriptiveACI attribute is defined as an operational attribute
938 of an access control subentry. It contains prescriptive ACI
939 applicable to entries within that subentry's scope.
941 The LDAP description [RFC2252] for the prescriptiveACI operational
944 ( 2.5.24.4 NAME 'prescriptiveACI'
945 EQUALITY directoryStringFirstComponentMatch
946 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
947 USAGE directoryOperation )
949 The directoryStringFirstComponentMatch matching rule is described in
954 Legg Expires 25 August 2003 [Page 17]
956 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
959 Prescriptive ACI within the subentries of a particular administrative
960 point never applies to the same or any other subentry of that
961 administrative point, but can be applicable to the subentries of
962 subordinate administrative points.
964 Note that prescriptiveACI attributes are not collective attributes.
965 Although the values of a prescriptiveACI attribute contribute to
966 access control decisions for each entry within the scope of the
967 subentry that holds the attribute, the prescriptiveACI attribute does
968 not appear as part of those entries.
973 The entryACI attribute is defined as an operational attribute of an
974 entry or subentry (not just access control subentries). It contains
975 entry ACI applicable to the entry or subentry in which it appears,
976 and that (sub)entry's contents.
978 The LDAP description [RFC2252] for the entryACI operational attribute
981 ( 2.5.24.5 NAME 'entryACI'
982 EQUALITY directoryStringFirstComponentMatch
983 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
984 USAGE directoryOperation )
989 The subentryACI attribute is defined as an operational attribute of
990 administrative entries [ADMIN] (for any aspect of administration).
991 It contains subentry ACI that applies to each of the subentries of
992 the administrative entry in which it appears. Only administrative
993 entries are permitted to contain a subentryACI attribute.
995 The LDAP description [RFC2252] for the subentryACI operational
998 ( 2.5.24.6 NAME 'subentryACI'
999 EQUALITY directoryStringFirstComponentMatch
1000 SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
1001 USAGE directoryOperation )
1004 5.3.4 Protecting the ACI
1006 ACI operational attributes are subject to the same protection
1010 Legg Expires 25 August 2003 [Page 18]
1012 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1015 mechanisms as other attributes.
1017 The identificationTag provides an identifier for each ACI item. This
1018 tag can be used to remove a specific ACI item value, or to protect it
1019 by prescriptive ACI, entry ACI or subentry ACI. Directory rules
1020 ensure that only one ACI item per access control operational
1021 attribute possesses any specific identificationTag value.
1023 The creation of subentries for an administrative entry may be
1024 controlled by means of the subentryACI operational attribute in the
1025 administrative entry. The right to create prescriptive access
1026 controls may also be governed directly by security policy; this
1027 provision is required to create access controls in new autonomous
1028 administrative areas [ADMIN].
1031 5.4 Access Control Decision Points for LDAP Operations
1033 Each LDAP operation involves making a series of access control
1034 decisions on the various protected items that the operation accesses.
1036 For some operations (e.g. the Modify operation), each such access
1037 control decision must grant access for the operation to succeed; if
1038 access is denied to any protected item, the whole operation fails.
1039 For other operations (e.g. the Search operation), protected items to
1040 which access is denied are simply omitted from the operation result
1041 and processing continues.
1043 If the requested access is denied, further access control decisions
1044 may be needed to determine if the user has DiscloseOnError
1045 permissions to the protected item. Only if DiscloseOnError
1046 permission is granted may the server respond with an error that
1047 reveals the existence of the protected item. In all other cases, the
1048 server MUST act so as to conceal the existence of the protected item.
1050 The permissions required to access each protected item, are specified
1051 for each operation in the following sections. The algorithm by which
1052 a permission is determined to be granted or not granted is specified
1056 5.4.1 Common Elements of Procedure
1058 This section defines the elements of procedure that are common to all
1059 LDAP operations when Basic Access Control is in effect.
1062 5.4.1.1 Alias Dereferencing
1066 Legg Expires 25 August 2003 [Page 19]
1068 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1071 If, in the process of locating a target object entry (nominated in an
1072 LDAP request), alias dereferencing is required, no specific
1073 permissions are necessary for alias dereferencing to take place.
1074 However, if alias dereferencing would result in a referral being
1075 returned, the following sequence of access controls applies.
1077 1) Read permission is required to the alias entry. If permission is
1078 not granted, the operation fails in accordance to the procedure
1079 described in 5.4.1.3.
1081 2) Read permission is required to the aliasedEntryName attribute and
1082 to the single value that it contains. If permission is not
1083 granted, the operation fails and the resultCode
1084 aliasDereferencingProblem SHALL be returned. The matchedDN field
1085 of the LDAPResult SHALL contain the name of the alias entry.
1087 In addition to the access controls described above, security policy
1088 may prevent the disclosure of knowledge of other servers which would
1089 otherwise be conveyed in a referral. If such a policy is in effect
1090 the resultCode insufficientAccessRights SHALL be returned.
1093 5.4.1.2 Return of Names in Errors
1095 Certain LDAP result codes, i.e. noSuchObject, aliasProblem,
1096 invalidDNSyntax and aliasDereferencingProblem, provide the name of an
1097 entry in the matchedDN field of an LDAPResult. The DN of an entry
1098 SHALL only be provided in the matchedDN field if DiscloseOnError
1099 permission is granted to that entry, otherwise, the matchedDN field
1100 of the LDAPResult SHALL either contain the name of the next superior
1101 entry to which DiscloseOnError permission is granted, or, if
1102 DiscloseOnError permission is not granted to any superior entry, the
1103 name of the root DSE (i.e. a zero-length LDAPDN).
1106 5.4.1.3 Non-disclosure of the Existence of an Entry
1108 If, while performing an LDAP operation, the necessary entry level
1109 permission is not granted to the specified target object entry - e.g.
1110 the entry to be modified - the operation fails; if DiscloseOnError
1111 permission is granted to the target entry, the resultCode
1112 insufficientAccessRights SHALL be returned, otherwise, the resultCode
1113 noSuchObject SHALL be returned. The matchedDN field of the
1114 LDAPResult SHALL either contain the name of the next superior entry
1115 to which DiscloseOnError permission is granted, or, if
1116 DiscloseOnError permission is not granted to any superior entry, the
1117 name of the root DSE (i.e. a zero-length LDAPDN).
1122 Legg Expires 25 August 2003 [Page 20]
1124 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1127 Additionally, whenever the server detects an operational error
1128 (including a referral resultCode), it shall ensure that in returning
1129 that error it does not compromise the existence of the named target
1130 entry and any of its superiors. For example, before returning a
1131 resultCode of timeLimitExceeded or notAllowedOnNonLeaf, the server
1132 verifies that DiscloseOnError permission is granted to the target
1133 entry. If it is not, the procedure described in the paragraph above
1137 5.4.2 Compare Operation Decision Points
1139 The following sequence of access controls applies for an entry being
1142 1) Read permission for the entry to be compared is required. If
1143 permission is not granted, the operation fails in accordance with
1146 2) Compare permission for the attribute to be compared is required.
1147 If permission is not granted, the operation fails: if
1148 DiscloseOnError permission is granted to the attribute being
1149 compared, a resultCode of insufficientAccessRight SHALL be
1150 returned, otherwise, the resultCode noSuchAttribute SHALL be
1153 3) If there exists a value within the attribute being compared that
1154 matches the purported argument and for which Compare permission is
1155 granted, the operation returns the resultCode compareTrue,
1156 otherwise the operation returns the resultCode compareFalse.
1159 5.4.3 Search Operation Decision Points
1161 The following sequence of access controls applies for a portion of
1162 the DIT being searched.
1164 1) No specific permission is required to the entry identified by the
1165 baseObject argument in order to initiate a search. However, if
1166 the baseObject is within the scope of the SearchArgument (i.e.
1167 when the subset argument specifies baseObject or wholeSubtree) the
1168 access controls specified in 2) through 5) will apply.
1170 2) Browse or Read permission is required for the single entry within
1171 the scope of a baseObject search. An entry for which neither of
1172 these permissions is granted is ignored.
1174 This differs from the X.500 DAP Search operation where the Browse
1178 Legg Expires 25 August 2003 [Page 21]
1180 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1183 permission alone is required. An entry with Read permission but
1184 not Browse permission cannot be searched but can still be examined
1185 with an X.500 DAP Read operation. LDAP relies on baseObject
1186 search operations to provide the functionality of the DAP Read
1187 operation. Accepting Read permission for the target entry in a
1188 baseObject search gives an LDAP baseObject search the same access
1189 rights to the entry as the DAP Read operation.
1191 3) Browse permission is required for an entry within the scope of a
1192 singleLevel or wholeSubtree search to be a candidate for
1193 consideration. Entries for which this permission is not granted
1196 4) The filter argument is applied to each entry left to be considered
1197 after taking 2) and 3) into account, in accordance with the
1200 a) For a present Filter item, if there exists an attribute value
1201 such that the attribute type of the value (possibly a subtype
1202 of the attribute type in the FilterItem) satisfies the Filter
1203 item and FilterMatch permission is granted for the value and
1204 for the attribute type then the FilterItem evaluates to TRUE,
1205 otherwise, it evaluates to FALSE.
1207 If a directory server does not support True/False filters
1208 [FILTER] on LDAP searches, or if directory clients do not
1209 exploit this capability, then access control administrators
1210 SHOULD grant FilterMatch permission for the objectClass
1211 attribute over entries where Read permission is also granted so
1212 that an LDAP baseObject search with a filter testing for the
1213 presence of the objectClass attribute will have the same access
1214 rights to the target entry as the DAP Read operation. An LDAP
1215 baseObject search with a True filter does not require
1216 FilterMatch permission for any particular attribute type.
1218 b) For an equalityMatch, substrings, greaterOrEqual, lessOrEqual,
1219 approxMatch or extensibleMatch Filter item, if there exists an
1220 attribute value such that the value satisfies the Filter item
1221 and FilterMatch permission is granted for the value and for its
1222 attribute type (possibly a subtype of the attribute type in the
1223 FilterItem) then the FilterItem evaluates to TRUE, otherwise,
1224 it evaluates to FALSE.
1226 Once the access controls defined in 2) through 4) have been applied,
1227 an entry is either selected or discarded.
1229 5) For each selected entry the information returned is as follows:
1234 Legg Expires 25 August 2003 [Page 22]
1236 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1239 a) ReturnDN permission for an entry is required in order to return
1240 its distinguished name in a SearchResultEntry response. If
1241 this permission is not granted, the server SHALL either, return
1242 the name of a valid alias to the entry, or, omit the entry from
1245 If the base entry of the search was located using an alias,
1246 then that alias is known to be a valid alias. Otherwise, how
1247 it is ensured that the alias is valid is outside the scope of
1250 Where a server has a choice of alias names available to it for
1251 return, it is RECOMMENDED that where possible it choose the
1252 same alias name for repeated requests by the same client, in
1253 order to provide a consistent service.
1255 b) If the typesOnly field of the SearchRequest is TRUE then, for
1256 each attribute type that is to be returned, Read permission for
1257 the attribute type and Read permission for at least one value
1258 of the attribute is required. If permission is not granted,
1259 the attribute type is omitted from the attribute list in the
1260 SearchResultEntry. If as a consequence of applying these
1261 controls no attribute type information is selected, the
1262 SearchResultEntry is returned but no attribute type information
1263 is conveyed with it (i.e. the attribute list is empty).
1265 c) If the typesOnly field of the SearchRequest is FALSE then Read
1266 permission is required for each attribute type and for each
1267 attribute value that is to be returned. If permission to an
1268 attribute type is not granted, the attribute is omitted from
1269 the SearchResultEntry. If permission to an attribute value is
1270 not granted, the value is omitted from its corresponding
1271 attribute. If all values of an attribute are omitted then the
1272 attribute type is omitted from the attribute list in the
1273 SearchResultEntry. If as a consequence of applying these
1274 controls no attribute information is selected, the
1275 SearchResultEntry is returned but no attribute information is
1276 conveyed with it (i.e. the attribute list is empty).
1278 6) If as a consequence of applying the above controls to the entire
1279 scoped subtree the search result contains no entries (excluding
1280 any SearchResultReferences) and if DiscloseOnError permission is
1281 not granted to the entry identified by the baseObject argument,
1282 the operation fails and the resultCode noSuchObject SHALL be
1283 returned. The matchedDN field of the LDAPResult SHALL either
1284 contain the name of the next superior entry to which
1285 DiscloseOnError permission is granted, or the name of the root DSE
1286 (i.e. a zero-length LDAPDN). Otherwise, the operation succeeds
1290 Legg Expires 25 August 2003 [Page 23]
1292 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1295 but no subordinate information is conveyed with it.
1297 Security policy may prevent the disclosure of knowledge of other
1298 servers which would otherwise be conveyed as SearchResultReferences.
1299 If such a policy is in effect SearchResultReferences are omitted from
1302 No specific permissions are necessary to allow alias dereferencing to
1303 take place in the course of a search operation. However, for each
1304 alias entry encountered, if alias dereferencing would result in a
1305 SearchResultReference being returned, the following access controls
1306 apply: Read permission is required to the alias entry, the
1307 aliasedEntryName attribute and to the single value that it contains.
1308 If any of these permissions is not granted, the SearchResultReference
1309 SHALL be omitted from the search result.
1312 5.4.4 Add Operation Decision Points
1314 The following sequence of access controls apply for an entry being
1317 1) No specific permission is required for the immediate superior of
1318 the entry identified by the entry field of the AddRequest.
1320 2) If an entry already exists with a distinguished name equal to the
1321 entry field the operation fails; if DiscloseOnError or Add
1322 permission is granted to the existing entry, the resultCode
1323 entryAlreadyExists SHALL be returned, otherwise, the procedure
1324 described in 5.4.1.3 is followed with respect to the entry being
1327 3) Add permission is required for the new entry being added. If this
1328 permission is not granted, the operation fails; the procedure
1329 described in 5.4.1.3 is followed with respect to the entry being
1332 The Add permission is provided as prescriptive ACI when attempting
1333 to add an entry and as prescriptive ACI or subentry ACI when
1334 attempting to add a subentry. Any values of the entryACI
1335 attribute in the entry being added SHALL be ignored.
1337 4) Add permission is required for each attribute type and for each
1338 value that is to be added. If any permission is absent, the
1339 operation fails and the resultCode insufficientAccessRights SHALL
1346 Legg Expires 25 August 2003 [Page 24]
1348 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1351 5.4.5 Delete Operation Decision Points
1353 The following sequence of access controls apply for an entry being
1356 1) Remove permission is required for the entry being removed. If
1357 this permission is not granted, the operation fails in accordance
1360 2) No specific permissions are required for any of the attributes and
1361 attribute values present within the entry being removed.
1364 5.4.6 Modify Operation Decision Points
1366 The following sequence of access controls apply for an entry being
1369 1) Modify permission is required for the entry being modified. If
1370 this permission is not granted, the operation fails in accordance
1373 2) For each of the specified modification arguments applied in
1374 sequence, the following permissions are required:
1376 a) Add permission is required for each of the attribute values
1377 specified in an add modification. If the attribute does not
1378 currently exist then Add permission for the attribute type is
1379 also required. If these permissions are not granted, or any of
1380 the attribute values already exist, the operation fails; if an
1381 attribute value already exists and DiscloseOnError or Add is
1382 granted to that attribute value, the resultCode
1383 attributeOrValueExists SHALL be returned, otherwise, the
1384 resultCode insufficientAccessRights SHALL be returned.
1386 b) Remove permission is required for the attribute type specified
1387 in a delete modification with no listed attribute values. If
1388 this permission is not granted, the operation fails; if
1389 DiscloseOnError permission is granted to the attribute being
1390 removed and the attribute exists, the resultCode
1391 insufficientAccessRights SHALL be returned, otherwise, the
1392 resultCode noSuchAttribute SHALL be returned.
1394 No specific permissions are required for any of the attribute
1395 values present within the attribute being removed.
1397 c) Remove permission is required for each of the values in a
1398 delete modification with listed attribute values. If all
1402 Legg Expires 25 August 2003 [Page 25]
1404 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1407 current values of the attribute are specified to be removed
1408 (which causes the attribute itself to be removed), then Remove
1409 permission for the attribute type is also required. If these
1410 permissions are not granted, the operation fails; if
1411 DiscloseOnError permission is granted to any of the attribute
1412 values being removed, the resultCode insufficientAccessRights
1413 SHALL be returned, otherwise, the resultCode noSuchAttribute
1416 d) Remove and Add permission is required for the attribute type,
1417 and Add permission is required for each of the specified
1418 attribute values, in a replace modification. If these
1419 permissions are not granted the operation fails and the
1420 resultCode insufficientAccessRights SHALL be returned.
1422 No specific permissions are required to remove any existing
1423 attribute values of the attribute being replaced.
1426 5.4.7 Modify DN Operation Decision Points
1428 The following sequence of access controls apply for an entry having
1431 1) If the effect of the operation is to change the RDN of the entry
1432 then Rename permission (determined with respect to its original
1433 name) is required for the entry. If this permission is not
1434 granted, the operation fails; the procedure described in 5.4.1.3
1435 is followed with respect to the entry being renamed (considered
1436 with its original name).
1438 No additional permissions are required even if, as a result of
1439 modifying the RDN of the entry, a new distinguished value needs to
1440 be added, or an old one removed. No specific permissions are
1441 required for the subordinates of the renamed entry.
1443 2) If the effect of the operation is to move an entry to a new
1444 superior in the DIT then Export permission (determined with
1445 respect to its original name) and Import permission (determined
1446 with respect to its new name) are required for the entry. If
1447 either of these permissions is not granted, the operation fails;
1448 the procedure described in 5.4.1.3 is followed with respect to the
1449 entry being moved (considered with its original name).
1451 The Import permission is provided as prescriptive ACI when
1452 attempting to move an entry and as prescriptive ACI or subentry
1453 ACI when attempting to move a subentry. Any values of the
1454 entryACI attribute in the entry or subentry being moved SHALL be
1458 Legg Expires 25 August 2003 [Page 26]
1460 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1465 No specific permissions are required for the subordinates of the
1468 Note that a single Modify DN Operation may simultaneously rename and
1472 5.5 Access Control Decision Function
1474 This section describes how ACI items are processed in order to decide
1475 whether to grant or deny a particular requestor a specified
1476 permission to a given protected item.
1478 Section 5.5.1 describes the inputs to the ACDF. Sections 5.5.2
1479 through 5.5.4 describe the steps in the ACDF. The output is a
1480 decision to grant or deny access to the protected item.
1485 For each invocation of the ACDF, the inputs are:
1487 a) the requestor's Distinguished Name, unique identifier, and
1488 authentication level, or as many of these as are available;
1490 b) the protected item (an entry, an attribute, or an attribute value)
1491 being considered at the current decision point for which the ACDF
1494 c) the requested permission specified for the current decision point;
1496 d) the ACI items applicable to the entry containing (or which is) the
1499 In addition, if the ACI items include any of the protected item
1500 constraints described in 5.2.1.4, the whole entry and the number of
1501 immediate subordinates of its superior entry may also be required as
1507 For each ACI item, expand the item into a set of tuples, one tuple
1508 for each element of the itemPermissions and userPermissions sets,
1509 containing the following elements:
1514 Legg Expires 25 August 2003 [Page 27]
1516 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1519 ( userClasses, authenticationLevel, protectedItems,
1520 grantsAndDenials, precedence )
1522 Collect all tuples from all ACI items into a single set.
1524 For any tuple whose grantsAndDenials specify both grants and denials,
1525 replace the tuple with two tuples - one specifying only grants and
1526 the other specifying only denials.
1529 5.5.3 Discarding Irrelevant Tuples
1531 Perform the following steps to discard all irrelevant tuples:
1533 1) Discard all tuples that do not include the requestor in the
1534 tuple's userClasses as follows:
1536 a) For tuples that grant access, discard all tuples that do not
1537 include the requestor's identity in the tuples's userClasses
1538 element, taking into account UniqueIdentifier elements if
1539 relevant. Where a tuple's userClasses specifies a
1540 UniqueIdentifier, a matching value shall be present in the
1541 requestor's identity if the tuple is not to be discarded.
1542 Discard tuples that specify an authentication level higher than
1543 that associated with the requestor.
1545 b) For tuples that deny access, retain all tuples that include the
1546 requestor in the tuple's userClasses element, taking into
1547 account uniqueIdentifier elements if relevant. Also retain all
1548 tuples that deny access and which specify an authentication
1549 level higher than that associated with the requestor. This
1550 reflects the fact that the requestor has not adequately proved
1551 non-membership in the user class for which the denial is
1552 specified. All other tuples that deny access are discarded.
1554 2) Discard all tuples that do not include the protected item in
1557 3) Examine all tuples that include maxValueCount, maxImmSub or
1558 restrictedBy. Discard all such tuples which grant access and
1559 which do not satisfy any of these constraints.
1561 4) Discard all tuples that do not include the requested permission as
1562 one of the set bits in grantsAndDenials.
1564 The order in which tuples are discarded does not change the output of
1570 Legg Expires 25 August 2003 [Page 28]
1572 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1575 5.5.4 Highest Precedence and Specificity
1577 Perform the following steps to select those tuples of highest
1578 precedence and specificity:
1580 1) Discard all tuples having a precedence less than the highest
1581 precedence among the remaining tuples.
1583 2) If more than one tuple remains, choose the tuples with the most
1584 specific user class. If there are any tuples matching the
1585 requestor with UserClasses element name or thisEntry, discard all
1586 other tuples. Otherwise if there are any tuples matching
1587 UserGroup, discard all other tuples. Otherwise if there are any
1588 tuples matching subtree, discard all other tuples.
1590 3) If more than one tuple remains, choose the tuples with the most
1591 specific protected item. If the protected item is an attribute
1592 and there are tuples that specify the attribute type explicitly,
1593 discard all other tuples. If the protected item is an attribute
1594 value, and there are tuples that specify the attribute value
1595 explicitly, discard all other tuples. A protected item which is a
1596 rangeOfValues is to be treated as specifying an attribute value
1599 Grant access if and only if one or more tuples remain and all grant
1600 access. Otherwise deny access.
1603 6. Simplified Access Control
1605 This section describes the functionality of the Simplified Access
1606 Control scheme. It provides a subset of the functionality found in
1607 Basic Access Control.
1609 When Simplified Access Control is used, the accessControlScheme
1610 operational attribute [ACA] SHALL have the value
1611 simplified-access-control (2.5.28.2).
1613 The functionality of Simplified Access Control is the same as Basic
1614 Access Control except that:
1616 1) Access control decisions shall be made only on the basis of values
1617 of prescriptiveACI and subentryACI operational attributes. Values
1618 of the entryACI attribute, if present, SHALL NOT be used to make
1619 access control decisions.
1621 2) Access Control Inner Areas are not used. Values of
1622 prescriptiveACI attributes appearing in subentries of ACIPs SHALL
1626 Legg Expires 25 August 2003 [Page 29]
1628 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1631 NOT be used to make access control decisions.
1633 All other provisions SHALL be as defined for Basic Access Control.
1636 7. Security Considerations
1638 Access control administrators should beware of basing access controls
1639 on membership of non-locally available groups or groups which are
1640 available only through replication (and which may, therefore, be out
1643 A particular DSA might not have the ACI governing any data that it
1644 caches. Administrators should be aware that a directory server with
1645 the capability of caching may pose a significant security risk to
1646 other directory servers, in that it may reveal information to
1652 This document is derived from, and duplicates substantial portions
1653 of, Section 8 of [X501], and selected extracts from [X511].
1656 9. IANA Considerations
1658 The Internet Assigned Numbers Authority (IANA) is requested to update
1659 the LDAP descriptors registry as indicated by the following
1662 Subject: Request for LDAP Descriptor Registration
1663 Descriptor (short name): basic-access-control
1664 Object Identifier: 2.5.28.1
1665 Person & email address to contact for further information:
1666 Steven Legg <steven.legg@adacel.com.au>
1667 Usage: other (access control scheme)
1668 Specification: RFC XXXX
1669 Author/Change Controller: IESG
1671 Subject: Request for LDAP Descriptor Registration
1672 Descriptor (short name): simplified-access-control
1673 Object Identifier: 2.5.28.2
1674 Person & email address to contact for further information:
1675 Steven Legg <steven.legg@adacel.com.au>
1676 Usage: other (access control scheme)
1677 Specification: RFC XXXX
1678 Author/Change Controller: IESG
1682 Legg Expires 25 August 2003 [Page 30]
1684 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1687 Subject: Request for LDAP Descriptor Registration
1688 Descriptor (short name): prescriptiveACI
1689 Object Identifier: 2.5.24.4
1690 Person & email address to contact for further information:
1691 Steven Legg <steven.legg@adacel.com.au>
1692 Usage: attribute type
1693 Specification: RFC XXXX
1694 Author/Change Controller: IESG
1696 Subject: Request for LDAP Descriptor Registration
1697 Descriptor (short name): entryACI
1698 Object Identifier: 2.5.24.5
1699 Person & email address to contact for further information:
1700 Steven Legg <steven.legg@adacel.com.au>
1701 Usage: attribute type
1702 Specification: RFC XXXX
1703 Author/Change Controller: IESG
1705 Subject: Request for LDAP Descriptor Registration
1706 Descriptor (short name): subentryACI
1707 Object Identifier: 2.5.24.6
1708 Person & email address to contact for further information:
1709 Steven Legg <steven.legg@adacel.com.au>
1710 Usage: attribute type
1711 Specification: RFC XXXX
1712 Author/Change Controller: IESG
1715 10. Normative References
1717 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1718 Requirement Levels", BCP 14, RFC 2119, March 1997.
1720 [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
1721 Access Protocol (v3)", RFC 2251, December 1997.
1723 [RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
1724 "Lightweight Directory Access Protocol (v3): Attribute
1725 Syntax Definitions", RFC 2252, December 1997.
1727 [RFC2256] Wahl, M., "A Summary of the X.500(96) User Schema for use
1728 with LDAPv3", RFC 2256, December 1997.
1730 [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
1731 Protocol (v3): Technical Specification", RFC 3377,
1734 [GSER] Legg, S., "Generic String Encoding Rules for ASN.1 Types",
1738 Legg Expires 25 August 2003 [Page 31]
1740 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1743 draft-legg-ldap-gser-xx.txt, a work in progress, October
1746 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
1747 draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
1750 [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
1751 draft-zeilenga-ldap-collective-xx.txt, a work in progress,
1754 [ADMIN] Legg, S., "Directory Administrative Model in LDAP",
1755 draft-legg-ldap-admin-xx.txt, a work in progress, February
1758 [ACA] Legg, S., "Access Control Administration in LDAP",
1759 draft-legg-ldap-acm-admin-xx.txt, a work in progress,
1762 [SCHEMA] Zeilenga, K., "LDAPv3: A Collection of User Schema",
1763 draft-zeilenga-ldap-user-schema-xx.txt, a work in
1766 [FILTER] Zeilenga, K., "LDAP Absolute True/False Filters",
1767 draft-zeilenga-ldap-t-f-xx.txt, a work in progress,
1770 [X680] ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998
1771 Information Technology - Abstract Syntax Notation One
1772 (ASN.1): Specification of basic notation
1775 11. Informative References
1777 [RFC2234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
1778 Specifications: ABNF", RFC 2234, November 1997.
1780 [GCE] Legg, S., "Common Elements of GSER Encodings",
1781 draft-legg-ldap-gser-abnf-xx.txt, a work in progress,
1784 [X501] ITU-T Recommendation X.501 (02/2001), Information
1785 technology - Open Systems Interconnection - The Directory:
1788 [X511] ITU-T Recommendation X.511 (02/2001), Information
1789 technology - Open Systems Interconnection - The Directory:
1790 Abstract service definition
1794 Legg Expires 25 August 2003 [Page 32]
1796 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1799 12. Copyright Notice
1801 Copyright (C) The Internet Society (2003). All Rights Reserved.
1803 This document and translations of it may be copied and furnished to
1804 others, and derivative works that comment on or otherwise explain it
1805 or assist in its implementation may be prepared, copied, published
1806 and distributed, in whole or in part, without restriction of any
1807 kind, provided that the above copyright notice and this paragraph are
1808 included on all such copies and derivative works. However, this
1809 document itself may not be modified in any way, such as by removing
1810 the copyright notice or references to the Internet Society or other
1811 Internet organizations, except as needed for the purpose of
1812 developing Internet standards in which case the procedures for
1813 copyrights defined in the Internet Standards process must be
1814 followed, or as required to translate it into languages other than
1817 The limited permissions granted above are perpetual and will not be
1818 revoked by the Internet Society or its successors or assigns.
1820 This document and the information contained herein is provided on an
1821 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1822 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1823 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1824 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1825 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1828 13. Author's Address
1831 Adacel Technologies Ltd.
1833 Brighton, Victoria 3186
1836 Phone: +61 3 8530 7710
1837 Fax: +61 3 8530 7888
1838 EMail: steven.legg@adacel.com.au
1841 Appendix A. LDAP Specific Encoding for the ACI Item Syntax
1843 This appendix is non-normative.
1845 The LDAP-specific encoding for the ACI Item syntax is specified by
1846 the Generic String Encoding Rules in [GSER]. The ABNF [RFC2234] in
1850 Legg Expires 25 August 2003 [Page 33]
1852 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1855 this appendix for this syntax is provided only as a convenience and
1856 is equivalent to the encoding specified by the application of [GSER].
1857 Since the ACI Item ASN.1 type may be extended in future editions of
1858 [X501], the provided ABNF should be regarded as a snapshot in time.
1859 The LDAP-specific encoding for any extension to the ACI Item ASN.1
1860 type can be determined from [GSER].
1862 In the event that there is a discrepancy between this ABNF and the
1863 encoding determined by [GSER], [GSER] is to be taken as definitive.
1865 ACIItem = "{" sp aci-identificationTag ","
1866 sp aci-precedence ","
1867 sp aci-authenticationLevel ","
1868 sp aci-itemOrUserFirst
1871 aci-identificationTag = id-identificationTag msp
1873 aci-precedence = id-precedence msp Precedence
1874 aci-authenticationLevel = id-authenticationLevel msp
1876 aci-itemOrUserFirst = id-itemOrUserFirst msp
1878 id-identificationTag = %x69.64.65.6E.74.69.66.69.63.61.74.69.6F
1879 %x6E.54.61.67 ; "identificationTag"
1880 id-precedence = %x70.72.65.63.65.64.65.6E.63.65
1882 id-authenticationLevel = %x61.75.74.68.65.6E.74.69.63.61.74.69.6F
1884 ; "authenticationLevel"
1885 id-itemOrUserFirst = %x69.74.65.6D.4F.72.55.73.65.72.46.69.72
1886 %x73.74 ; "itemOrUserFirst"
1888 Precedence = INTEGER-0-MAX ; MUST be less than 256
1890 AuthenticationLevel = al-basicLevels / al-other
1891 al-basicLevels = id-basicLevels ":" BasicLevels
1892 al-other = id-other ":" EXTERNAL
1893 id-basicLevels = %x62.61.73.69.63.4C.65.76.65.6C.73
1895 id-other = %x6F.74.68.65.72 ; "other"
1897 BasicLevels = "{" sp bl-level
1898 [ "," sp bl-localQualifier ]
1899 [ "," sp bl-signed ]
1902 bl-level = id-level msp Level
1906 Legg Expires 25 August 2003 [Page 34]
1908 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1911 bl-localQualifier = id-localQualifier msp INTEGER
1912 bl-signed = id-signed msp BOOLEAN
1913 Level = id-none / id-simple / id-strong
1914 id-level = %x6C.65.76.65.6C ; "level"
1915 id-localQualifier = %x6C.6F.63.61.6C.51.75.61.6C.69.66.69.65.72
1917 id-signed = %x73.69.67.6E.65.64 ; "signed"
1918 id-none = %x6E.6F.6E.65 ; "none"
1919 id-simple = %x73.69.6D.70.6C.65 ; "simple"
1920 id-strong = %x73.74.72.6F.6E.67 ; "strong"
1922 ItemOrUserFirst = ( id-itemFirst ":" ItemFirst ) /
1923 ( id-userFirst ":" UserFirst )
1924 id-itemFirst = %x69.74.65.6D.46.69.72.73.74 ; "itemFirst"
1925 id-userFirst = %x75.73.65.72.46.69.72.73.74 ; "userFirst"
1927 ItemFirst = "{" sp if-protectedItems ","
1928 sp if-itemPermissions
1930 if-protectedItems = id-protectedItems msp ProtectedItems
1931 if-itemPermissions = id-itemPermissions msp ItemPermissions
1932 id-protectedItems = %x70.72.6F.74.65.63.74.65.64.49.74.65.6D.73
1934 id-itemPermissions = %x69.74.65.6D.50.65.72.6D.69.73.73.69.6F.6E
1935 %x73 ; "itemPermissions"
1937 UserFirst = "{" sp uf-userClasses ","
1938 sp uf-userPermissions
1940 uf-userClasses = id-userClasses msp UserClasses
1941 uf-userPermissions = id-userPermissions msp UserPermissions
1942 id-userClasses = %x75.73.65.72.43.6C.61.73.73.65.73
1944 id-userPermissions = %x75.73.65.72.50.65.72.6D.69.73.73.69.6F.6E
1945 %x73 ; "userPermissions"
1947 ItemPermissions = "{" [ sp ItemPermission
1948 *( "," sp ItemPermission ) ] sp "}"
1949 ItemPermission = "{" [ sp ip-precedence "," ]
1950 sp ip-userClasses ","
1951 sp ip-grantsAndDenials
1953 ip-precedence = id-precedence msp Precedence
1954 ip-userClasses = id-userClasses msp UserClasses
1955 ip-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials
1956 id-grantsAndDenials = %x67.72.61.6E.74.73.41.6E.64.44.65.6E.69.61
1957 %x6C.73 ; "grantsAndDenials"
1962 Legg Expires 25 August 2003 [Page 35]
1964 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
1967 UserClasses = "{" [ sp uc-allUsers ]
1968 [ sep sp uc-thisEntry ]
1970 [ sep sp uc-userGroup ]
1971 [ sep sp uc-subtree ]
1973 uc-allUsers = id-allUsers msp NULL
1974 uc-thisEntry = id-thisEntry msp NULL
1975 uc-name = id-name msp NameAndOptionalUIDs
1976 uc-userGroup = id-userGroup msp NameAndOptionalUIDs
1977 uc-subtree = id-subtree msp SubtreeSpecifications
1978 id-allUsers = %x61.6C.6C.55.73.65.72.73 ; "allUsers"
1979 id-thisEntry = %x74.68.69.73.45.6E.74.72.79 ; "thisEntry"
1980 id-name = %x6E.61.6D.65 ; "name"
1981 id-userGroup = %x75.73.65.72.47.72.6F.75.70 ; "userGroup"
1982 id-subtree = %x73.75.62.74.72.65.65 ; "subtree"
1984 NameAndOptionalUIDs = "{" sp NameAndOptionalUID
1985 *( "," sp NameAndOptionalUID ) sp "}"
1986 NameAndOptionalUID = "{" sp nu-dn
1989 nu-dn = id-dn msp DistinguishedName
1990 nu-uid = id-uid msp UniqueIdentifier
1991 UniqueIdentifier = BIT-STRING
1992 id-dn = %x64.6E ; "dn"
1993 id-uid = %x75.69.64 ; "uid"
1995 SubtreeSpecifications = "{" sp SubtreeSpecification
1996 *( "," sp SubtreeSpecification ) sp "}"
1998 UserPermissions = "{" [ sp UserPermission
1999 *( "," sp UserPermission ) ] sp "}"
2000 UserPermission = "{" [ sp up-precedence "," ]
2001 sp up-protectedItems ","
2002 sp up-grantsAndDenials
2004 up-precedence = id-precedence msp Precedence
2005 up-protectedItems = id-protectedItems msp ProtectedItems
2006 up-grantsAndDenials = id-grantsAndDenials msp GrantsAndDenials
2008 ProtectedItems = "{" [ sp pi-entry ]
2009 [ sep sp pi-allUserAttributeTypes ]
2010 [ sep sp pi-attributeType ]
2011 [ sep sp pi-allAttributeValues ]
2012 [ sep sp pi-allUserTypesAndValues ]
2013 [ sep sp pi-attributeValue ]
2014 [ sep sp pi-selfValue ]
2018 Legg Expires 25 August 2003 [Page 36]
2020 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2023 [ sep sp pi-rangeOfValues ]
2024 [ sep sp pi-maxValueCount ]
2025 [ sep sp pi-maxImmSub ]
2026 [ sep sp pi-restrictedBy ]
2028 [ sep sp pi-classes ]
2031 pi-entry = id-entry msp NULL
2032 pi-allUserAttributeTypes = id-allUserAttributeTypes msp NULL
2033 pi-attributeType = id-attributeType msp AttributeTypes
2034 pi-allAttributeValues = id-allAttributeValues msp
2036 pi-allUserTypesAndValues = id-allUserAttributeTypesAndValues msp
2038 pi-attributeValue = id-attributeValue msp
2039 AttributeTypeAndValues
2040 pi-selfValue = id-selfValue msp AttributeTypes
2041 pi-rangeOfValues = id-rangeOfValues msp Filter
2042 pi-maxValueCount = id-maxValueCount msp MaxValueCounts
2043 pi-maxImmSub = id-maxImmSub msp INTEGER
2044 pi-restrictedBy = id-restrictedBy msp RestrictedValues
2045 pi-classes = id-classes msp Refinement
2046 id-entry = %x65.6E.74.72.79 ; "entry"
2047 id-allUserAttributeTypes = %x61.6C.6C.55.73.65.72.41.74.74.72.69
2048 %x62.75.74.65.54.79.70.65.73
2049 ; "allUserAttributeTypes"
2050 id-attributeType = %x61.74.74.72.69.62.75.74.65.54.79.70
2051 %x65 ; "attributeType"
2052 id-allAttributeValues = %x61.6C.6C.41.74.74.72.69.62.75.74.65
2054 ; "allAttributeValues"
2055 id-attributeValue = %x61.74.74.72.69.62.75.74.65.56.61.6C
2056 %x75.65 ; "attributeValue"
2057 id-selfValue = %x73.65.6C.66.56.61.6C.75.65
2059 id-rangeOfValues = %x72.61.6E.67.65.4F.66.56.61.6C.75.65
2060 %x73 ; "rangeOfValues"
2061 id-maxValueCount = %x6D.61.78.56.61.6C.75.65.43.6F.75.6E
2062 %x74 ; "maxValueCount"
2063 id-maxImmSub = %x6D.61.78.49.6D.6D.53.75.62
2065 id-restrictedBy = %x72.65.73.74.72.69.63.74.65.64.42.79
2067 id-classes = %x63.6C.61.73.73.65.73 ; "classes"
2069 id-allUserAttributeTypesAndValues = %x61.6C.6C.55.73.65.72.41.74
2070 %x74.72.69.62.75.74.65.54.79.70.65.73
2074 Legg Expires 25 August 2003 [Page 37]
2076 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2079 %x41.6E.64.56.61.6C.75.65.73
2080 ; "allUserAttributeTypesAndValues"
2082 AttributeTypes = "{" sp AttributeType
2083 *( "," sp AttributeType ) sp "}"
2085 AttributeTypeAndValues = "{" sp AttributeTypeAndValue
2086 *( "," sp AttributeTypeAndValue )
2089 AttributeTypeAndValue = "{" sp atav-type ","
2092 atav-type = id-type msp AttributeType
2093 atav-value = id-value msp Value
2094 id-type = %x74.79.70.65 ; "type"
2095 id-value = %x76.61.6C.75.65 ; "value"
2097 MaxValueCounts = "{" sp MaxValueCount
2098 *( "," sp MaxValueCount ) sp "}"
2099 MaxValueCount = "{" sp mvc-type ","
2102 mvc-type = id-type msp AttributeType
2103 mvc-maxCount = id-maxCount msp INTEGER
2104 id-maxCount = %x6D.61.78.43.6F.75.6E.74 ; "maxCount"
2106 RestrictedValues = "{" sp RestrictedValue
2107 *( "," sp RestrictedValue ) sp "}"
2108 RestrictedValue = "{" sp rv-type ","
2111 rv-type = id-type msp AttributeType
2112 rv-valuesin = id-valuesin msp AttributeType
2113 id-valuesin = %x76.61.6C.75.65.73.69.6E ; "valuesin"
2115 GrantsAndDenials = "{" [ sp grantOrDeny
2116 *( "," sp grantOrDeny ) ] sp "}"
2117 grantOrDeny = id-grantAdd
2119 / id-grantDiscloseOnError
2120 / id-denyDiscloseOnError
2130 Legg Expires 25 August 2003 [Page 38]
2132 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2147 / id-grantFilterMatch
2148 / id-denyFilterMatch
2149 ; grantInvoke omitted
2150 ; denyInvoke omitted
2152 id-grantAdd = %x67.72.61.6E.74.41.64.64 ; "grantAdd"
2153 id-denyAdd = %x64.65.6E.79.41.64.64 ; "denyAdd"
2154 id-grantBrowse = %x67.72.61.6E.74.42.72.6F.77.73.65
2156 id-denyBrowse = %x64.65.6E.79.42.72.6F.77.73.65 ; "denyBrowse"
2157 id-grantCompare = %x67.72.61.6E.74.43.6F.6D.70.61.72.65
2159 id-denyCompare = %x64.65.6E.79.43.6F.6D.70.61.72.65
2162 id-grantDiscloseOnError = %x67.72.61.6E.74.44.69.73.63.6C.6F.73.65
2163 %x4F.6E.45.72.72.6F.72
2164 ; "grantDiscloseOnError"
2165 id-denyDiscloseOnError = %x64.65.6E.79.44.69.73.63.6C.6F.73.65.4F
2167 ; "denyDiscloseOnError"
2169 id-grantExport = %x67.72.61.6E.74.45.78.70.6F.72.74
2171 id-denyExport = %x64.65.6E.79.45.78.70.6F.72.74
2173 id-grantFilterMatch = %x67.72.61.6E.74.46.69.6C.74.65.72.4D.61.74
2174 %x63.68 ; "grantFilterMatch"
2175 id-denyFilterMatch = %x64.65.6E.79.46.69.6C.74.65.72.4D.61.74.63
2176 %x68 ; "denyFilterMatch"
2177 id-grantImport = %x67.72.61.6E.74.49.6D.70.6F.72.74
2179 id-denyImport = %x64.65.6E.79.49.6D.70.6F.72.74
2181 id-grantModify = %x67.72.61.6E.74.4D.6F.64.69.66.79
2186 Legg Expires 25 August 2003 [Page 39]
2188 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2191 id-denyModify = %x64.65.6E.79.4D.6F.64.69.66.79
2193 id-grantRead = %x67.72.61.6E.74.52.65.61.64 ; "grantRead"
2194 id-denyRead = %x64.65.6E.79.52.65.61.64 ; "denyRead"
2195 id-grantRemove = %x67.72.61.6E.74.52.65.6D.6F.76.65
2197 id-denyRemove = %x64.65.6E.79.52.65.6D.6F.76.65
2199 id-grantRename = %x67.72.61.6E.74.52.65.6E.61.6D.65
2201 id-denyRename = %x64.65.6E.79.52.65.6E.61.6D.65
2203 id-grantReturnDN = %x67.72.61.6E.74.52.65.74.75.72.6E.44.4E
2205 id-denyReturnDN = %x64.65.6E.79.52.65.74.75.72.6E.44.4E
2208 The <sp>, <msp>, <sep>, <AttributeType>, <BIT-STRING>, <BOOLEAN>,
2209 <DirectoryString>, <DistinguishedName>, <EXTERNAL>, <INTEGER>,
2210 <INTEGER-0-MAX> and <NULL> rules are described in [GCE].
2212 The <SubtreeSpecification> and <Refinement> rules are described in
2215 The <Value> rule is described in [GSER].
2217 Filter = filter-item / filter-and / filter-or / filter-not
2218 filter-item = id-item ":" FilterItem
2219 filter-and = id-and ":" SetOfFilter
2220 filter-or = id-or ":" SetOfFilter
2221 filter-not = id-not ":" Filter
2222 id-and = %x61.6E.64 ; "and"
2223 id-item = %x69.74.65.6D ; "item"
2224 id-not = %x6E.6F.74 ; "not"
2225 id-or = %x6F.72 ; "or"
2227 SetOfFilter = "{" [ sp Filter *( "," sp Filter ) ] sp "}"
2229 FilterItem = fi-equality
2234 / fi-approximateMatch
2235 / fi-extensibleMatch
2236 ; contextPresent omitted
2238 fi-equality = id-equality ":" AttributeValueAssertion
2242 Legg Expires 25 August 2003 [Page 40]
2244 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2247 fi-substrings = id-substrings ":" SubstringsAssertion
2248 fi-greaterOrEqual = id-greaterOrEqual ":"
2249 AttributeValueAssertion
2250 fi-lessOrEqual = id-lessOrEqual ":" AttributeValueAssertion
2251 fi-present = id-present ":" AttributeType
2252 fi-approximateMatch = id-approximateMatch ":"
2253 AttributeValueAssertion
2254 fi-extensibleMatch = id-extensibleMatch ":" MatchingRuleAssertion
2255 id-equality = %x65.71.75.61.6C.69.74.79 ; "equality"
2256 id-substrings = %x73.75.62.73.74.72.69.6E.67.73
2258 id-greaterOrEqual = %x67.72.65.61.74.65.72.4F.72.45.71.75.61.6C
2260 id-lessOrEqual = %x6C.65.73.73.4F.72.45.71.75.61.6C
2262 id-present = %x70.72.65.73.65.6E.74 ; "present"
2263 id-approximateMatch = %x61.70.70.72.6F.78.69.6D.61.74.65.4D.61.74
2264 %x63.68 ; "approximateMatch"
2265 id-extensibleMatch = %x65.78.74.65.6E.73.69.62.6C.65.4D.61.74.63
2266 %x68 ; "extensibleMatch"
2268 AttributeValueAssertion = "{" sp ava-type ","
2270 ; assertedContexts omitted
2273 ava-type = id-type msp AttributeType
2274 ava-assertion = id-assertion msp Value
2275 id-assertion = %x61.73.73.65.72.74.69.6F.6E ; "assertion"
2277 SubstringsAssertion = "{" sp sa-type ","
2281 sa-type = id-type msp AttributeType
2282 sa-strings = id-strings msp Substrings
2283 id-strings = %x73.74.72.69.6E.67.73 ; "strings"
2285 Substrings = "{" [ sp Substring *( "," sp Substring ) ] sp "}"
2286 Substring = ss-initial
2290 ss-initial = id-initial ":" Value
2291 ss-any = id-any ":" Value
2292 ss-final = id-final ":" Value
2293 id-initial = %x69.6E.69.74.69.61.6C ; "initial"
2294 id-any = %x61.6E.79 ; "any"
2298 Legg Expires 25 August 2003 [Page 41]
2300 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2303 id-final = %x66.69.6E.61.6C ; "final"
2305 MatchingRuleAssertion = "{" sp mra-matchingRule
2307 "," sp mra-matchValue
2308 [ "," sp mra-dnAttributes ]
2311 mra-matchingRule = id-matchingRule msp MatchingRuleIds
2312 mra-type = id-type msp AttributeType
2313 mra-matchValue = id-matchValue msp Value
2314 mra-dnAttributes = id-dnAttributes msp BOOLEAN
2315 id-matchingRule = %x6D.61.74.63.68.69.6E.67.52.75.6C.65
2317 id-matchValue = %x6D.61.74.63.68.56.61.6C.75.65 ; "matchValue"
2318 id-dnAttributes = %x64.6E.41.74.74.72.69.62.75.74.65.73
2321 MatchingRuleIds = "{" sp MatchingRuleId *( "," sp MatchingRuleId ) sp "}"
2322 MatchingRuleId = OBJECT-IDENTIFIER
2324 The <OBJECT-IDENTIFIER> rule is described in [GCE].
2327 Appendix B. Changes From Previous Drafts
2329 B.1 Changes in Draft 01
2331 The Internet draft draft-legg-ldap-acm-admin-00.txt has been split
2332 into two drafts, draft-legg-ldap-admin-00.txt and
2333 draft-legg-ldap-acm-admin-01.txt. Section 8 of
2334 draft-legg-ldapext-component-matching-06.txt has been extracted to
2335 become a separate Internet draft, draft-legg-ldap-gser-xx.txt. The
2336 references in this document have been updated accordingly.
2338 The term "native LDAP encoding" has been replaced by the term
2339 "LDAP-specific encoding" to align with terminology anticipated to be
2340 used in the revision of RFC 2252.
2342 Changes have been made to the Search Operation Decision Points
2345 In 4) a), the assumed FilterMatch permission for a present match of
2346 the objectClass attribute has been removed. An LDAP search with a
2347 True filter [FILTER] is the best analogue of the DAP read operation.
2348 A True filter does not filter any attribute type and therefore does
2349 not require FilterMatch permissions to succeed.
2354 Legg Expires 25 August 2003 [Page 42]
2356 INTERNET-DRAFT Basic & Simplified Access Control February 25, 2003
2359 In 5) b) and c), there is an additional requirement for Read
2360 permission for at least one attribute value before an attribute type
2361 can be returned in a search result. Without this change a search
2362 result could, in some circumstances, disclose the existence of
2363 particular hidden attribute values.
2365 B.2 Changes in Draft 02
2367 RFC 3377 replaces RFC 2251 as the reference for LDAP.
2369 An IANA Considerations section has been added.
2410 Legg Expires 25 August 2003 [Page 43]