8 draft-legg-ldap-admin-01.txt Adacel Technologies
9 Intended Category: Standards Track February 25, 2003
12 Directory Administrative Model in LDAP
14 Copyright (C) The Internet Society (2003). All Rights Reserved.
19 This document is an Internet-Draft and is in full conformance with
20 all provisions of Section 10 of RFC2026.
22 Internet-Drafts are working documents of the Internet Engineering
23 Task Force (IETF), its areas, and its working groups. Note that
24 other groups may also distribute working documents as
27 Internet-Drafts are draft documents valid for a maximum of six months
28 and may be updated, replaced, or obsoleted by other documents at any
29 time. It is inappropriate to use Internet-Drafts as reference
30 material or to cite them other than as "work in progress".
32 The list of current Internet-Drafts can be accessed at
33 http://www.ietf.org/ietf/1id-abstracts.txt
35 The list of Internet-Draft Shadow Directories can be accessed at
36 http://www.ietf.org/shadow.html.
38 Distribution of this document is unlimited. Comments should be sent
39 to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
42 This Internet-Draft expires on 25 August 2003.
47 This document adapts the X.500 directory administrative model for use
48 by the Lightweight Directory Access Protocol. The administrative
49 model partitions the Directory Information Tree for various aspects
50 of directory data administration, e.g. subschema, access control and
51 collective attributes. The generic framework that applies to every
52 aspect of administration is described in this document. The
53 definitions that apply for a specific aspect of administration, e.g.
54 access control administration, are described in other documents.
58 Legg Expires 25 August 2003 [Page 1]
60 INTERNET-DRAFT Directory Administrative Model February 25, 2003
65 1. Abstract ...................................................... 1
66 2. Table of Contents ............................................. 2
67 3. Introduction .................................................. 2
68 4. Conventions ................................................... 2
69 5. Administrative Areas .......................................... 3
70 6. Autonomous Administrative Areas ............................... 3
71 7. Specific Administrative Areas ................................. 3
72 8. Inner Administrative Areas .................................... 4
73 9. Administrative Entries ........................................ 5
74 10. Security Considerations ...................................... 5
75 11. Acknowledgements ............................................. 5
76 12. Normative References ......................................... 5
77 13. Informative References ....................................... 6
78 14. Copyright Notice ............................................. 6
79 15. Author's Address ............................................. 7
84 This document adapts the X.500 directory administrative model [X501]
85 for use by the Lightweight Directory Access Protocol (LDAP)
86 [RFC3377]. The administrative model partitions the Directory
87 Information Tree (DIT) for various aspects of directory data
88 administration, e.g. subschema, access control and collective
89 attributes. This document provides the definitions for the generic
90 parts of the administrative model that apply to every aspect of
91 directory data administration.
93 Sections 5 to 9, in conjunction with [SUBENTRY], describe the means
94 by which administrative authority is aportioned and exercised in the
97 Aspects of administration that conform to the administrative model
98 described in this document are detailed elsewhere, e.g. access
99 control administration is described in [ACA] and collective attribute
100 administration is described in [COLLECT].
102 This document is derived from, and duplicates substantial portions
103 of, Sections 4 and 8 of [X501].
107 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
108 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
109 document are to be interpreted as described in RFC 2119 [RFC2119].
114 Legg Expires 25 August 2003 [Page 2]
116 INTERNET-DRAFT Directory Administrative Model February 25, 2003
119 5. Administrative Areas
121 An administrative area is a subtree of the DIT considered from the
122 perspective of administration. The root entry of the subtree is an
123 administrative point. An administrative point is represented by an
124 entry holding an administrativeRole attribute [SUBENTRY]. The values
125 of this attribute identify the kind of administrative point.
128 6. Autonomous Administrative Areas
130 The DIT may be partitioned into one or more non-overlapping subtrees
131 termed autonomous administrative areas. It is expected that the
132 entries in an autonomous administrative area are all administered by
133 the same administrative authority.
135 An administrative authority may be responsible for several autonomous
136 administrative areas in separated parts of the DIT but it SHOULD NOT
137 arbitrarily partition the collection of entries under its control
138 into autonomous administrative areas (thus creating adjacent
139 autonomous areas administered by the same authority).
141 The root entry of an autonomous administrative area's subtree is
142 called an autonomous administrative point. An autonomous
143 administrative area extends from its autonomous administrative point
144 downwards until another autonomous administrative point is
145 encountered, at which point another autonomous administrative area
149 7. Specific Administrative Areas
151 Entries in an administrative area may be considered in terms of a
152 specific administrative function. When viewed in this context, an
153 administrative area is termed a specific administrative area.
155 Examples of specific administrative areas are subschema specific
156 administrative areas, access control specific areas and collective
157 attribute specific areas.
159 An autonomous administrative area may be considered as implicitly
160 defining a single specific administrative area for each specific
161 aspect of administration. In this case, there is a precise
162 correspondence between each such specific administrative area and the
163 autonomous administrative area.
165 Alternatively, for each specific aspect of administration, the
166 autonomous administrative area may be partitioned into
170 Legg Expires 25 August 2003 [Page 3]
172 INTERNET-DRAFT Directory Administrative Model February 25, 2003
175 non-overlapping specific administrative areas.
177 If so partitioned for a particular aspect of administration, each
178 entry of the autonomous administrative area is contained in one and
179 only one specific administrative area for that aspect, i.e. specific
180 administrative areas do not overlap.
182 The root entry of a specific administrative area's subtree is called
183 a specific administrative point. A specific administrative area
184 extends from its specific administrative point downwards until
185 another specific administrative point of the same administrative
186 aspect is encountered, at which point another specific administrative
187 area begins. Specific administrative areas are always bounded by the
188 autonomous administrative area they partition.
190 Where an autonomous administrative area is not partitioned for a
191 specific aspect of administration, the specific administrative area
192 for that aspect coincides with the autonomous administrative area.
193 In this case, the autonomous administrative point is also the
194 specific administrative point for this aspect of administration. A
195 particular administrative point may be the root of an autonomous
196 administrative area and may be the root of one or more specific
197 administrative areas for different aspects of administration.
199 It is not necessary for an administrative point to represent each
200 specific aspect of administrative authority. For example, there
201 might be an administrative point, subordinate to the root of the
202 autonomous administrative area, which is used for access control
206 8. Inner Administrative Areas
208 For some aspects of administration, e.g. access control or collective
209 attributes, inner administrative areas may be defined within the
210 specific administrative areas, to allow a limited form of delegation,
211 or for administrative or operational convenience.
213 An inner administrative area may be nested within another inner
214 administrative area. The rules for nested inner areas are defined as
215 part of the definition of the specific administrative aspect for
216 which they are allowed.
218 The root entry of an inner administrative area's subtree is called an
219 inner administrative point. An inner administrative area (within a
220 specific administrative area) extends from its inner administrative
221 point downwards until a specific administrative point of the same
222 administrative aspect is encountered. An inner administrative area
226 Legg Expires 25 August 2003 [Page 4]
228 INTERNET-DRAFT Directory Administrative Model February 25, 2003
231 is bounded by the specific administrative area within which it is
235 9. Administrative Entries
237 An entry located at an administrative point is an administrative
238 entry. Administrative entries MAY have subentries [SUBENTRY] as
239 immediate subordinates. The administrative entry and its associated
240 subentries are used to control the entries encompassed by the
241 associated administrative area. Where inner administrative areas are
242 used, the scopes of these areas may overlap. Therefore, for each
243 specific aspect of administrative authority, a definition is required
244 of the method of combination of administrative information when it is
245 possible for entries to be included in more than one subtree or
246 subtree refinement associated with an inner area defined for that
250 10. Security Considerations
252 This document defines a generic framework for employing policy of
253 various kinds, e.g. access controls, to entries in the DIT. Such
254 policy can only be correctly enforced at a directory server holding a
255 replica of a portion of the DIT if the administrative entries for
256 administrative areas that overlap the portion of the DIT being
257 replicated, and the subentries of those administrative entries
258 relevant to any aspect of policy that is required to be enforced at
259 the replica, are included in the replicated information.
261 Administrative entries and subentries SHOULD be protected from
262 unauthorized examination or changes by appropriate access controls.
267 This document is derived from, and duplicates substantial portions
268 of, Sections 4 and 8 of [X501].
271 12. Normative References
273 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
274 Requirement Levels", BCP 14, RFC 2119, March 1997.
276 [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
277 Protocol (v3): Technical Specification", RFC 3377,
282 Legg Expires 25 August 2003 [Page 5]
284 INTERNET-DRAFT Directory Administrative Model February 25, 2003
287 [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
288 draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
292 13. Informative References
294 [ACA] Legg, S., "Access Control Administration in LDAP",
295 draft-legg-ldap-acm-admin-xx.txt, a work in progress,
298 [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
299 draft-zeilenga-ldap-collective-xx.txt, a work in progress,
302 [X501] ITU-T Recommendation X.501 (02/2001), Information
303 technology - Open Systems Interconnection - The Directory:
309 Copyright (C) The Internet Society (2003). All Rights Reserved.
311 This document and translations of it may be copied and furnished to
312 others, and derivative works that comment on or otherwise explain it
313 or assist in its implementation may be prepared, copied, published
314 and distributed, in whole or in part, without restriction of any
315 kind, provided that the above copyright notice and this paragraph are
316 included on all such copies and derivative works. However, this
317 document itself may not be modified in any way, such as by removing
318 the copyright notice or references to the Internet Society or other
319 Internet organizations, except as needed for the purpose of
320 developing Internet standards in which case the procedures for
321 copyrights defined in the Internet Standards process must be
322 followed, or as required to translate it into languages other than
325 The limited permissions granted above are perpetual and will not be
326 revoked by the Internet Society or its successors or assigns.
328 This document and the information contained herein is provided on an
329 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
330 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
331 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
332 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
333 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
338 Legg Expires 25 August 2003 [Page 6]
340 INTERNET-DRAFT Directory Administrative Model February 25, 2003
346 Adacel Technologies Ltd.
348 Brighton, Victoria 3186
351 Phone: +61 3 8530 7710
353 EMail: steven.legg@adacel.com.au
356 Appendix A - Changes From Previous Drafts
358 A.1 Changes in Draft 00
360 This document reproduces Section 4 from
361 draft-legg-ldap-acm-admin-00.txt as a standalone document. All
362 changes made are purely editorial. No technical changes have been
365 A.2 Changes in Draft 01
367 RFC 3377 replaces RFC 2251 as the reference for LDAP.
394 Legg Expires 25 August 2003 [Page 7]