-
-
-
-
-
-
INTERNET-DRAFT S. Legg
-draft-legg-ldap-acm-admin-01.txt Adacel Technologies
-Intended Category: Standards Track September 18, 2002
+draft-legg-ldap-acm-admin-03.txt Adacel Technologies
+Intended Category: Standards Track June 16, 2004
- Access Control Administration in LDAP
+ Lightweight Directory Access Protocol (LDAP):
+ Access Control Administration
- Copyright (C) The Internet Society (2002). All Rights Reserved.
+ Copyright (C) The Internet Society (2004). All Rights Reserved.
Status of this Memo
http://www.ietf.org/shadow.html.
Distribution of this document is unlimited. Comments should be sent
- to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
- author.
+ to the author.
- This Internet-Draft expires on 18 March 2003.
+ This Internet-Draft expires on 16 December 2004.
-1. Abstract
+Abstract
This document adapts the X.500 directory administrative model, as it
pertains to access control administration, for use by the Lightweight
Directory Access Protocol. The administrative model partitions the
Directory Information Tree for various aspects of directory data
- administration, e.g. subschema, access control and collective
+ administration, e.g., subschema, access control and collective
attributes. This document provides the particular definitions that
support access control administration, but does not define a
particular access control scheme.
-Legg Expires 18 March 2003 [Page 1]
+Legg Expires 16 December 2004 [Page 1]
\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
-
+INTERNET-DRAFT Access Control Administration June 16, 2004
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC2119].
+Table of Contents
-2. Table of Contents
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 3. Access Control Administrative Areas. . . . . . . . . . . . . . 3
+ 4. Access Control Scheme Indication . . . . . . . . . . . . . . . 3
+ 5. Access Control Information . . . . . . . . . . . . . . . . . . 4
+ 6. Access Control Subentries. . . . . . . . . . . . . . . . . . . 4
+ 7. Applicable Access Control Information. . . . . . . . . . . . . 5
+ 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 5
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
+ 10. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 6
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 11.1. Normative References. . . . . . . . . . . . . . . . . . 6
+ 11.2. Informative References. . . . . . . . . . . . . . . . . 7
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 7
- 1. Abstract .................................................... 1
- 2. Table of Contents ........................................... 2
- 3. Introduction ................................................ 2
- 4. Access Control Administrative Areas ......................... 3
- 5. Access Control Scheme Indication ............................ 3
- 6. Access Control Information .................................. 4
- 7. Access Control Subentries ................................... 4
- 8. Applicable Access Control Information ....................... 5
- 9. Security Considerations ..................................... 5
- 10. Acknowledgements ........................................... 6
- 11. Normative References ....................................... 6
- 12. Informative References ..................................... 6
- 13. Copyright Notice ........................................... 7
- 14. Author's Address ........................................... 7
-
-
-3. Introduction
+1. Introduction
This document adapts the X.500 directory administrative model [X501],
as it pertains to access control administration, for use by the
- Lightweight Directory Access Protocol (LDAP) [RFC2251].
+ Lightweight Directory Access Protocol (LDAP) [RFC3377].
The administrative model [ADMIN] partitions the Directory Information
- Tree (DIT) for various aspects of directory data administration, e.g.
- subschema, access control and collective attributes. The parts of
- the administrative model that apply to every aspect of directory data
- administration are described in [ADMIN]. This document describes the
- administrative framework for access control.
+ Tree (DIT) for various aspects of directory data administration,
+ e.g., subschema, access control and collective attributes. The parts
+ of the administrative model that apply to every aspect of directory
+ data administration are described in [ADMIN]. This document
+ describes the administrative framework for access control.
An access control scheme describes the means by which access to
directory information, and potentially to access rights themselves,
employing access control schemes but does not define a particular
access control scheme. Two access control schemes known as Basic
Access Control and Simplified Access Control are defined by [BAC].
- Other access control schemes MAY be defined by other documents.
+ Other access control schemes may be defined by other documents.
- Schema definitions are provided using LDAP description formats
- [RFC2252]. Note that the LDAP descriptions have been rendered with
- additional white-space and line breaks for the sake of readability.
+ This document is derived from, and duplicates substantial portions
+ of, Sections 4 and 8 of X.501 [X501].
+2. Conventions
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
-Legg Expires 18 March 2003 [Page 2]
+Legg Expires 16 December 2004 [Page 2]
\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
-
+INTERNET-DRAFT Access Control Administration June 16, 2004
- This document is derived from, and duplicates substantial portions
- of, Sections 4 and 8 of [X501].
+ Schema definitions are provided using LDAP description formats
+ [RFC2252]. Note that the LDAP descriptions have been rendered with
+ additional white-space and line breaks for the sake of readability.
-4. Access Control Administrative Areas
+3. Access Control Administrative Areas
The specific administrative area [ADMIN] for access control is termed
an Access Control Specific Area (ACSA). The root of the ACSA is
An ACSP or ACIP has zero, one or more subentries that contain Access
Control Information (ACI).
+4. Access Control Scheme Indication
-5. Access Control Scheme Indication
-
- The access control scheme (e.g. Basic Access Control [BAC]) in force
+ The access control scheme (e.g., Basic Access Control [BAC]) in force
in an ACSA is indicated by the accessControlScheme operational
attribute contained in the administrative entry for the relevant
ACSP.
SINGLE-VALUE USAGE directoryOperation )
An access control scheme conforming to the access control framework
+ described in this document MUST define a distinct OBJECT IDENTIFIER
-Legg Expires 18 March 2003 [Page 3]
+Legg Expires 16 December 2004 [Page 3]
\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
+INTERNET-DRAFT Access Control Administration June 16, 2004
- described in this document MUST define a distinct OBJECT IDENTIFIER
value to identify it through the accessControlScheme attribute.
+ Object Identifier Descriptors for access control scheme identifiers
+ may be registered with IANA [BCP64].
Only administrative entries for ACSPs are permitted to contain an
accessControlScheme attribute. If the accessControlScheme attribute
control scheme identified by the value of the accessControlScheme
attribute of the ACSP.
-
-6. Access Control Information
+5. Access Control Information
There are three categories of Access Control Information (ACI):
entry, subentry and prescriptive.
subentries of subordinate administrative points, where those
subentries are within the subtree or subtree refinement.
-
-7. Access Control Subentries
+6. Access Control Subentries
Each subentry which contains prescriptive ACI MUST have
accessControlSubentry as a value of its objectClass attribute. Such
-Legg Expires 18 March 2003 [Page 4]
+
+Legg Expires 16 December 2004 [Page 4]
\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
+INTERNET-DRAFT Access Control Administration June 16, 2004
( 2.5.17.1 NAME 'accessControlSubentry' AUXILIARY )
Since a subtreeSpecification may define a subtree refinement, DACDs
within a given ACSA may arbitrarily overlap.
-
-8. Applicable Access Control Information
+7. Applicable Access Control Information
Although particular items of ACI may specify attributes or values as
the protected items, ACI is logically associated with entries.
(3) Subentry ACI from the administrative point associated with the
subentry.
+8. Security Considerations
-9. Security Considerations
-
+ This document defines a framework for employing an access control
+ scheme, i.e., the means by which access to directory information and
-Legg Expires 18 March 2003 [Page 5]
+Legg Expires 16 December 2004 [Page 5]
\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
+INTERNET-DRAFT Access Control Administration June 16, 2004
- This document defines a framework for employing an access control
- scheme, i.e. the means by which access to directory information and
potentially to access rights themselves may be controlled, but does
not itself define any particular access control scheme. The degree
of protection provided, and any security risks, are determined by the
Security considerations that apply to directory administration in
general [ADMIN] also apply to access control administration.
-
-10. Acknowledgements
+9. Acknowledgements
This document is derived from, and duplicates substantial portions
- of, Sections 4 and 8 of [X501].
+ of, Sections 4 and 8 of X.501 [X501].
+10. IANA Considerations
-11. Normative References
+ The Internet Assigned Numbers Authority (IANA) is requested to update
+ the LDAP descriptors registry [BCP64] as indicated by the following
+ templates:
+
+ Subject: Request for LDAP Descriptor Registration
+ Descriptor (short name): accessControlScheme
+ Object Identifier: 2.5.24.1
+ Person & email address to contact for further information:
+ Steven Legg <steven.legg@adacel.com.au>
+ Usage: attribute type
+ Specification: RFC XXXX
+ Author/Change Controller: IESG
+
+ Subject: Request for LDAP Descriptor Registration
+ Descriptor (short name): accessControlSubentry
+ Object Identifier: 2.5.17.1
+ Person & email address to contact for further information:
+ Steven Legg <steven.legg@adacel.com.au>
+ Usage: object class
+ Specification: RFC XXXX
+ Author/Change Controller: IESG
+
+11. References
+
+11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
- [RFC2251] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory
- Access Protocol (v3)", RFC 2251, December 1997.
-
[RFC2252] Wahl, M., Coulbeck, A., Howes, T. and S. Kille,
"Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
- [ADMIN] Legg, S., "Directory Administrative Model in LDAP",
- draft-legg-ldap-admin-xx.txt, a work in progress,
- September 2002.
- [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
- draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
- August 2002.
+Legg Expires 16 December 2004 [Page 6]
+\f
+INTERNET-DRAFT Access Control Administration June 16, 2004
-12. Informative References
- [BAC] Legg, S., "Basic and Simplified Access Control in LDAP",
- draft-legg-ldap-acm-bac-xx.txt, a work in progress,
+ [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
+ Protocol (v3): Technical Specification", RFC 3377,
September 2002.
- [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
- draft-zeilenga-ldap-collective-xx.txt, a work in progress,
- August 2002.
+ [BCP64] Zeilenga, K., "Internet Assigned Numbers Authority (IANA
+ Considerations for the Lightweight Directory Access
+ Protocol (LDAP)", BCP 64, RFC 3383, September 2002.
+ [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in the Lightweight
+ Directory Access Protocol (LDAP)", RFC 3672, December
+ 2003.
+ [ADMIN] Legg, S., "Lightweight Directory Access Protocol (LDAP):
+ Directory Administrative Model",
+ draft-legg-ldap-admin-xx.txt, a work in progress, June
+ 2004.
-Legg Expires 18 March 2003 [Page 6]
-\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
+11.2. Informative References
+ [COLLECT] Zeilenga, K., "Collective Attributes in the Lightweight
+ Directory Access Protocol (LDAP)", RFC 3671, December
+ 2003.
- [X501] ITU-T Recommendation X.501 (02/2001), Information
- technology - Open Systems Interconnection - The Directory:
- Models
+ [BAC] Legg, S., "Lightweight Directory Access Protocol (LDAP):
+ Basic and Simplified Access Control",
+ draft-legg-ldap-acm-bac-xx.txt, a work in progress, June
+ 2004.
+ [X501] ITU-T Recommendation X.501 (02/01) | ISO/IEC 9594-2:2001,
+ Information technology - Open Systems Interconnection -
+ The Directory: Models
-13. Copyright Notice
+Author's Address
- Copyright (C) The Internet Society (2002). All Rights Reserved.
+ Steven Legg
+ Adacel Technologies Ltd.
+ 250 Bay Street
+ Brighton, Victoria 3186
+ AUSTRALIA
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
+ Phone: +61 3 8530 7710
+ Fax: +61 3 8530 7888
+ EMail: steven.legg@adacel.com.au
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
+Full Copyright Statement
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+ Copyright (C) The Internet Society (2004). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
-14. Author's Address
- Steven Legg
- Adacel Technologies Ltd.
- 405-409 Ferntree Gully Road
- Mount Waverley, Victoria 3149
- AUSTRALIA
+Legg Expires 16 December 2004 [Page 7]
+\f
+INTERNET-DRAFT Access Control Administration June 16, 2004
- Phone: +61 3 9451 2107
- Fax: +61 3 9541 2121
- EMail: steven.legg@adacel.com.au
+ except as set forth therein, the authors retain all their rights.
-15. Appendix A - Changes From Previous Drafts
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Intellectual Property
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
-Legg Expires 18 March 2003 [Page 7]
-\f
-INTERNET-DRAFT Access Control Administration September 18, 2002
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
-15.1 Changes in Draft 01
+Changes in Draft 01
Section 4 has been extracted to become a separate Internet draft,
draft-legg-ldap-admin-00.txt. The subsections of Section 5 have
- become the new Sections 4 to 8. Editorial changes have been made to
+ become the new Sections 3 to 7. Editorial changes have been made to
accommodate this split. No technical changes have been introduced.
+Changes in Draft 02
+
+ RFC 3377 replaces RFC 2251 as the reference for LDAP.
+
+ An IANA Considerations section has been added.
+
+Changes in Draft 03
+
+
+
+Legg Expires 16 December 2004 [Page 8]
+\f
+INTERNET-DRAFT Access Control Administration June 16, 2004
+
+ The document has been reformatted in line with current practice.
-Legg Expires 18 March 2003 [Page 8]
+
+
+
+
+
+
+
+Legg Expires 16 December 2004 [Page 9]
\f
+