8 draft-legg-ldap-admin-00.txt Adacel Technologies
9 Intended Category: Standards Track September 18, 2002
12 Directory Administrative Model in LDAP
14 Copyright (C) The Internet Society (2002). All Rights Reserved.
19 This document is an Internet-Draft and is in full conformance with
20 all provisions of Section 10 of RFC2026.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress".
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 Distribution of this document is unlimited. Comments should be sent
39 to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
42 This Internet-Draft expires on 18 March 2003.
47 This document adapts the X.500 directory administrative model for use
48 by the Lightweight Directory Access Protocol. The administrative
49 model partitions the Directory Information Tree for various aspects
50 of directory data administration, e.g. subschema, access control and
51 collective attributes. The generic framework that applies to every
52 aspect of administration is described in this document. The
53 definitions that apply for a specific aspect of administration, e.g.
54 access control administration, are described in other documents.
58 Legg Expires 18 March 2003 [Page 1]
60 INTERNET-DRAFT Directory Administrative Model September 18, 2002
63 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
64 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
65 document are to be interpreted as described in RFC 2119 [RFC2119].
70 1. Abstract .................................................... 1
71 2. Table of Contents ........................................... 2
72 3. Introduction ................................................ 2
73 4. Administrative Areas ........................................ 2
74 5. Autonomous Administrative Areas ............................. 3
75 6. Specific Administrative Areas ............................... 3
76 7. Inner Administrative Areas .................................. 4
77 8. Administrative Entries ...................................... 5
78 9. Security Considerations ..................................... 5
79 10. Acknowledgements ........................................... 5
80 11. Normative References ....................................... 5
81 12. Informative References ..................................... 6
82 13. Copyright Notice ........................................... 6
83 14. Author's Address ........................................... 6
88 This document adapts the X.500 directory administrative model [X501]
89 for use by the Lightweight Directory Access Protocol (LDAP)
90 [RFC2251]. The administrative model partitions the Directory
91 Information Tree (DIT) for various aspects of directory data
92 administration, e.g. subschema, access control and collective
93 attributes. This document provides the definitions for the generic
94 parts of the administrative model that apply to every aspect of
95 directory data administration.
97 Sections 4 to 8, in conjunction with [SUBENTRY], describe the means
98 by which administrative authority is aportioned and exercised in the
101 Aspects of administration that conform to the administrative model
102 described in this document are detailed elsewhere, e.g. access
103 control administration is described in [ACA] and collective attribute
104 administration is described in [COLLECT].
106 This document is derived from, and duplicates substantial portions
107 of, Sections 4 and 8 of [X501].
110 4. Administrative Areas
114 Legg Expires 18 March 2003 [Page 2]
116 INTERNET-DRAFT Directory Administrative Model September 18, 2002
119 An administrative area is a subtree of the DIT considered from the
120 perspective of administration. The root entry of the subtree is an
121 administrative point. An administrative point is represented by an
122 entry holding an administrativeRole attribute [SUBENTRY]. The values
123 of this attribute identify the kind of administrative point.
126 5. Autonomous Administrative Areas
128 The DIT may be partitioned into one or more non-overlapping subtrees
129 termed autonomous administrative areas. It is expected that the
130 entries in an autonomous administrative area are all administered by
131 the same administrative authority.
133 An administrative authority may be responsible for several autonomous
134 administrative areas in separated parts of the DIT but it SHOULD NOT
135 arbitrarily partition the collection of entries under its control
136 into autonomous administrative areas (thus creating adjacent
137 autonomous areas administered by the same authority).
139 The root entry of an autonomous administrative area's subtree is
140 called an autonomous administrative point. An autonomous
141 administrative area extends from its autonomous administrative point
142 downwards until another autonomous administrative point is
143 encountered, at which point another autonomous administrative area
147 6. Specific Administrative Areas
149 Entries in an administrative area may be considered in terms of a
150 specific administrative function. When viewed in this context, an
151 administrative area is termed a specific administrative area.
153 Examples of specific administrative areas are subschema specific
154 administrative areas, access control specific areas and collective
155 attribute specific areas.
157 An autonomous administrative area may be considered as implicitly
158 defining a single specific administrative area for each specific
159 aspect of administration. In this case, there is a precise
160 correspondence between each such specific administrative area and the
161 autonomous administrative area.
163 Alternatively, for each specific aspect of administration, the
164 autonomous administrative area may be partitioned into
165 non-overlapping specific administrative areas.
170 Legg Expires 18 March 2003 [Page 3]
172 INTERNET-DRAFT Directory Administrative Model September 18, 2002
175 If so partitioned for a particular aspect of administration, each
176 entry of the autonomous administrative area is contained in one and
177 only one specific administrative area for that aspect, i.e. specific
178 administrative areas do not overlap.
180 The root entry of a specific administrative area's subtree is called
181 a specific administrative point. A specific administrative area
182 extends from its specific administrative point downwards until
183 another specific administrative point of the same administrative
184 aspect is encountered, at which point another specific administrative
185 area begins. Specific administrative areas are always bounded by the
186 autonomous administrative area they partition.
188 Where an autonomous administrative area is not partitioned for a
189 specific aspect of administration, the specific administrative area
190 for that aspect coincides with the autonomous administrative area.
191 In this case, the autonomous administrative point is also the
192 specific administrative point for this aspect of administration. A
193 particular administrative point may be the root of an autonomous
194 administrative area and may be the root of one or more specific
195 administrative areas for different aspects of administration.
197 It is not necessary for an administrative point to represent each
198 specific aspect of administrative authority. For example, there
199 might be an administrative point, subordinate to the root of the
200 autonomous administrative area, which is used for access control
204 7. Inner Administrative Areas
206 For some aspects of administration, e.g. access control or collective
207 attributes, inner administrative areas may be defined within the
208 specific administrative areas, to allow a limited form of delegation,
209 or for administrative or operational convenience.
211 An inner administrative area may be nested within another inner
212 administrative area. The rules for nested inner areas are defined as
213 part of the definition of the specific administrative aspect for
214 which they are allowed.
216 The root entry of an inner administrative area's subtree is called an
217 inner administrative point. An inner administrative area (within a
218 specific administrative area) extends from its inner administrative
219 point downwards until a specific administrative point of the same
220 administrative aspect is encountered. An inner administrative area
221 is bounded by the specific administrative area within which it is
226 Legg Expires 18 March 2003 [Page 4]
228 INTERNET-DRAFT Directory Administrative Model September 18, 2002
231 8. Administrative Entries
233 An entry located at an administrative point is an administrative
234 entry. Administrative entries MAY have subentries [SUBENTRY] as
235 immediate subordinates. The administrative entry and its associated
236 subentries are used to control the entries encompassed by the
237 associated administrative area. Where inner administrative areas are
238 used, the scopes of these areas may overlap. Therefore, for each
239 specific aspect of administrative authority, a definition is required
240 of the method of combination of administrative information when it is
241 possible for entries to be included in more than one subtree or
242 subtree refinement associated with an inner area defined for that
246 9. Security Considerations
248 This document defines a generic framework for employing policy of
249 various kinds, e.g. access controls, to entries in the DIT. Such
250 policy can only be correctly enforced at a directory server holding a
251 replica of a portion of the DIT if the administrative entries for
252 administrative areas that overlap the portion of the DIT being
253 replicated, and the subentries of those administrative entries
254 relevant to any aspect of policy that is required to be enforced at
255 the replica, are included in the replicated information.
257 Administrative entries and subentries SHOULD be protected from
258 unauthorized examination or changes by appropriate access controls.
263 This document is derived from, and duplicates substantial portions
264 of, Sections 4 and 8 of [X501].
267 11. Normative References
269 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
270 Requirement Levels", BCP 14, RFC 2119, March 1997.
272 [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
273 Access Protocol (v3)", RFC 2251, December 1997.
275 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
276 draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
282 Legg Expires 18 March 2003 [Page 5]
284 INTERNET-DRAFT Directory Administrative Model September 18, 2002
287 12. Informative References
289 [ACA] Legg, S., "Access Control Administration in LDAP",
290 draft-legg-ldap-acm-admin-xx.txt, a work in progress,
293 [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
294 draft-zeilenga-ldap-collective-xx.txt, a work in progress,
297 [X501] ITU-T Recommendation X.501 (02/2001), Information
298 technology - Open Systems Interconnection - The Directory:
304 Copyright (C) The Internet Society (2002). All Rights Reserved.
306 This document and translations of it may be copied and furnished to
307 others, and derivative works that comment on or otherwise explain it
308 or assist in its implementation may be prepared, copied, published
309 and distributed, in whole or in part, without restriction of any
310 kind, provided that the above copyright notice and this paragraph are
311 included on all such copies and derivative works. However, this
312 document itself may not be modified in any way, such as by removing
313 the copyright notice or references to the Internet Society or other
314 Internet organizations, except as needed for the purpose of
315 developing Internet standards in which case the procedures for
316 copyrights defined in the Internet Standards process must be
317 followed, or as required to translate it into languages other than
320 The limited permissions granted above are perpetual and will not be
321 revoked by the Internet Society or its successors or assigns.
323 This document and the information contained herein is provided on an
324 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
325 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
326 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
327 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
328 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
334 Adacel Technologies Ltd.
338 Legg Expires 18 March 2003 [Page 6]
340 INTERNET-DRAFT Directory Administrative Model September 18, 2002
343 405-409 Ferntree Gully Road
344 Mount Waverley, Victoria 3149
347 Phone: +61 3 9451 2107
349 EMail: steven.legg@adacel.com.au
352 15. Appendix A - Changes From Previous Drafts
354 This document reproduces Section 4 from
355 draft-legg-ldap-acm-admin-00.txt as a standalone document. All
356 changes made are purely editorial. No technical changes have been
394 Legg Expires 18 March 2003 [Page 7]