-
-
-
-
-
-
INTERNET-DRAFT S. Legg
-draft-legg-ldap-admin-01.txt Adacel Technologies
-Intended Category: Standards Track February 25, 2003
+draft-legg-ldap-admin-02.txt Adacel Technologies
+Intended Category: Standards Track June 16, 2004
- Directory Administrative Model in LDAP
+ Lightweight Directory Access Protocol (LDAP):
+ Directory Administrative Model
- Copyright (C) The Internet Society (2003). All Rights Reserved.
+ Copyright (C) The Internet Society (2004). All Rights Reserved.
Status of this Memo
http://www.ietf.org/shadow.html.
Distribution of this document is unlimited. Comments should be sent
- to the LDUP working group mailing list <ietf-ldup@imc.org> or to the
- author.
+ to the author.
- This Internet-Draft expires on 25 August 2003.
+ This Internet-Draft expires on 16 December 2004.
-1. Abstract
+Abstract
This document adapts the X.500 directory administrative model for use
by the Lightweight Directory Access Protocol. The administrative
model partitions the Directory Information Tree for various aspects
- of directory data administration, e.g. subschema, access control and
+ of directory data administration, e.g., subschema, access control and
collective attributes. The generic framework that applies to every
aspect of administration is described in this document. The
- definitions that apply for a specific aspect of administration, e.g.
+ definitions that apply for a specific aspect of administration, e.g.,
access control administration, are described in other documents.
-Legg Expires 25 August 2003 [Page 1]
+Legg Expires 16 December 2004 [Page 1]
\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
-
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
-2. Table of Contents
- 1. Abstract ...................................................... 1
- 2. Table of Contents ............................................. 2
- 3. Introduction .................................................. 2
- 4. Conventions ................................................... 2
- 5. Administrative Areas .......................................... 3
- 6. Autonomous Administrative Areas ............................... 3
- 7. Specific Administrative Areas ................................. 3
- 8. Inner Administrative Areas .................................... 4
- 9. Administrative Entries ........................................ 5
- 10. Security Considerations ...................................... 5
- 11. Acknowledgements ............................................. 5
- 12. Normative References ......................................... 5
- 13. Informative References ....................................... 6
- 14. Copyright Notice ............................................. 6
- 15. Author's Address ............................................. 7
+Table of Contents
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 3. Administrative Areas . . . . . . . . . . . . . . . . . . . . . 2
+ 4. Autonomous Administrative Areas. . . . . . . . . . . . . . . . 3
+ 5. Specific Administrative Areas. . . . . . . . . . . . . . . . . 3
+ 6. Inner Administrative Areas . . . . . . . . . . . . . . . . . . 4
+ 7. Administrative Entries . . . . . . . . . . . . . . . . . . . . 4
+ 8. Security Considerations. . . . . . . . . . . . . . . . . . . . 5
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 5
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 10.1. Normative References. . . . . . . . . . . . . . . . . . 5
+ 10.2. Informative References. . . . . . . . . . . . . . . . . 5
+ 11. Author's Address . . . . . . . . . . . . . . . . . . . . . . . 6
+ Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 6
-3. Introduction
+1. Introduction
This document adapts the X.500 directory administrative model [X501]
- for use by the Lightweight Directory Access Protocol (LDAP)
- [RFC3377]. The administrative model partitions the Directory
- Information Tree (DIT) for various aspects of directory data
- administration, e.g. subschema, access control and collective
- attributes. This document provides the definitions for the generic
- parts of the administrative model that apply to every aspect of
- directory data administration.
-
- Sections 5 to 9, in conjunction with [SUBENTRY], describe the means
+ for use by the Lightweight Directory Access Protocol (LDAP) [LDAP].
+ The administrative model partitions the Directory Information Tree
+ (DIT) for various aspects of directory data administration, e.g.,
+ subschema, access control and collective attributes. This document
+ provides the definitions for the generic parts of the administrative
+ model that apply to every aspect of directory data administration.
+
+ Sections 3 to 7, in conjunction with [SUBENTRY], describe the means
by which administrative authority is aportioned and exercised in the
DIT.
Aspects of administration that conform to the administrative model
- described in this document are detailed elsewhere, e.g. access
+ described in this document are detailed elsewhere, e.g., access
control administration is described in [ACA] and collective attribute
administration is described in [COLLECT].
This document is derived from, and duplicates substantial portions
- of, Sections 4 and 8 of [X501].
+ of, Sections 4 and 8 of X.501 [X501].
-4. Conventions
+2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [RFC2119].
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [RFC2119].
+3. Administrative Areas
-Legg Expires 25 August 2003 [Page 2]
-\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
+Legg Expires 16 December 2004 [Page 2]
+\f
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
-5. Administrative Areas
An administrative area is a subtree of the DIT considered from the
perspective of administration. The root entry of the subtree is an
entry holding an administrativeRole attribute [SUBENTRY]. The values
of this attribute identify the kind of administrative point.
-
-6. Autonomous Administrative Areas
+4. Autonomous Administrative Areas
The DIT may be partitioned into one or more non-overlapping subtrees
termed autonomous administrative areas. It is expected that the
encountered, at which point another autonomous administrative area
begins.
-
-7. Specific Administrative Areas
+5. Specific Administrative Areas
Entries in an administrative area may be considered in terms of a
specific administrative function. When viewed in this context, an
Alternatively, for each specific aspect of administration, the
autonomous administrative area may be partitioned into
+ non-overlapping specific administrative areas.
+ If so partitioned for a particular aspect of administration, each
+ entry of the autonomous administrative area is contained in one and
-Legg Expires 25 August 2003 [Page 3]
-\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
+Legg Expires 16 December 2004 [Page 3]
+\f
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
- non-overlapping specific administrative areas.
- If so partitioned for a particular aspect of administration, each
- entry of the autonomous administrative area is contained in one and
- only one specific administrative area for that aspect, i.e. specific
+ only one specific administrative area for that aspect, i.e., specific
administrative areas do not overlap.
The root entry of a specific administrative area's subtree is called
autonomous administrative area, which is used for access control
purposes only.
+6. Inner Administrative Areas
-8. Inner Administrative Areas
-
- For some aspects of administration, e.g. access control or collective
- attributes, inner administrative areas may be defined within the
- specific administrative areas, to allow a limited form of delegation,
- or for administrative or operational convenience.
+ For some aspects of administration, e.g., access control or
+ collective attributes, inner administrative areas may be defined
+ within the specific administrative areas, to allow a limited form of
+ delegation, or for administrative or operational convenience.
An inner administrative area may be nested within another inner
administrative area. The rules for nested inner areas are defined as
specific administrative area) extends from its inner administrative
point downwards until a specific administrative point of the same
administrative aspect is encountered. An inner administrative area
+ is bounded by the specific administrative area within which it is
+ defined.
+7. Administrative Entries
-Legg Expires 25 August 2003 [Page 4]
-\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
-
- is bounded by the specific administrative area within which it is
- defined.
+Legg Expires 16 December 2004 [Page 4]
+\f
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
-9. Administrative Entries
An entry located at an administrative point is an administrative
entry. Administrative entries MAY have subentries [SUBENTRY] as
subtree refinement associated with an inner area defined for that
aspect.
-
-10. Security Considerations
+8. Security Considerations
This document defines a generic framework for employing policy of
- various kinds, e.g. access controls, to entries in the DIT. Such
+ various kinds, e.g., access controls, to entries in the DIT. Such
policy can only be correctly enforced at a directory server holding a
replica of a portion of the DIT if the administrative entries for
administrative areas that overlap the portion of the DIT being
Administrative entries and subentries SHOULD be protected from
unauthorized examination or changes by appropriate access controls.
-
-11. Acknowledgements
+9. Acknowledgements
This document is derived from, and duplicates substantial portions
- of, Sections 4 and 8 of [X501].
+ of, Sections 4 and 8 of X.501 [X501].
+10. References
-12. Normative References
+10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
- [RFC3377] Hodges, J. and R. Morgan, "Lightweight Directory Access
+ [LDAP] Hodges, J. and R. Morgan, "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC 3377,
September 2002.
+ [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in the Lightweight
+ Directory Access Protocol (LDAP)", RFC 3672, December
+ 2003.
-
-Legg Expires 25 August 2003 [Page 5]
-\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
+10.2. Informative References
- [SUBENTRY] Zeilenga, K. and S. Legg, "Subentries in LDAP",
- draft-zeilenga-ldap-subentry-xx.txt, a work in progress,
- August 2002.
-13. Informative References
+Legg Expires 16 December 2004 [Page 5]
+\f
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
- [ACA] Legg, S., "Access Control Administration in LDAP",
- draft-legg-ldap-acm-admin-xx.txt, a work in progress,
- February 2003.
- [COLLECT] Zeilenga, K., "Collective Attributes in LDAP",
- draft-zeilenga-ldap-collective-xx.txt, a work in progress,
- August 2002.
+ [COLLECT] Zeilenga, K., "Collective Attributes in the Lightweight
+ Directory Access Protocol (LDAP)", RFC 3671, December
+ 2003.
- [X501] ITU-T Recommendation X.501 (02/2001), Information
- technology - Open Systems Interconnection - The Directory:
- Models
+ [ACA] Legg, S., "Lightweight Directory Access Protocol (LDAP):
+ Access Control Administration",
+ draft-legg-ldap-acm-admin-xx.txt, a work in progress, June
+ 2004.
+ [X501] ITU-T Recommendation X.501 (02/01) | ISO/IEC 9594-2:2001,
+ Information technology - Open Systems Interconnection -
+ The Directory: Models
-14. Copyright Notice
+11. Author's Address
- Copyright (C) The Internet Society (2003). All Rights Reserved.
+ Steven Legg
+ Adacel Technologies Ltd.
+ 250 Bay Street
+ Brighton, Victoria 3186
+ AUSTRALIA
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
+ Phone: +61 3 8530 7710
+ Fax: +61 3 8530 7888
+ EMail: steven.legg@adacel.com.au
- The limited permissions granted above are perpetual and will not be
- revoked by the Internet Society or its successors or assigns.
+Full Copyright Statement
- This document and the information contained herein is provided on an
- "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
- TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
- BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
- HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
- MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+ Copyright (C) The Internet Society (2004). This document is subject
+ to the rights, licenses and restrictions contained in BCP 78, and
+ except as set forth therein, the authors retain all their rights.
+ This document and the information contained herein are provided on an
+ "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+ OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+ ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+ INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+ WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Intellectual Property
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
-Legg Expires 25 August 2003 [Page 6]
-\f
-INTERNET-DRAFT Directory Administrative Model February 25, 2003
-15. Author's Address
+Legg Expires 16 December 2004 [Page 6]
+\f
+INTERNET-DRAFT Directory Administrative Model June 16, 2004
- Steven Legg
- Adacel Technologies Ltd.
- 250 Bay Street
- Brighton, Victoria 3186
- AUSTRALIA
- Phone: +61 3 8530 7710
- Fax: +61 3 8530 7888
- EMail: steven.legg@adacel.com.au
+ found in BCP 78 and BCP 79.
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF on-line IPR repository at
+ http://www.ietf.org/ipr.
-Appendix A - Changes From Previous Drafts
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at
+ ietf-ipr@ietf.org.
-A.1 Changes in Draft 00
+Changes in Draft 00
This document reproduces Section 4 from
draft-legg-ldap-acm-admin-00.txt as a standalone document. All
changes made are purely editorial. No technical changes have been
introduced.
-A.2 Changes in Draft 01
+Changes in Draft 01
RFC 3377 replaces RFC 2251 as the reference for LDAP.
+Changes in Draft 02
+ The document has been reformatted in line with current practice.
-
-
-Legg Expires 25 August 2003 [Page 7]
+Legg Expires 16 December 2004 [Page 7]
\f
+
projects / openldap / blobdiff