[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: KerberosId/UserID/access-id

To: <ietf-ldapext-acm@OpenLDAP.org>
Subject: Re: Fwd: KerberosId/UserID/access-id
From: "Jim Sermersheim" <JIMSE@novell.com>
Date: Thu, 13 Apr 2000 13:43:26 -0600
Content-disposition: inline

How much does this differ from the way the BNF has been reworked? I guess we need to change kerberosID to u, but is the current format workable?

Jim

>>> Ellen Stokes <stokes@austin.ibm.com> 4/12/00 10:07:21 PM >>>
Here's Kurt's proposal on aligning KerberosID in access control model spec
with the authmeth spec.

So have at it for discussion on the mailing list - this will be an agenda item
for the April 18 conference call.

By the way, I'm sending this to the new mailing list AND cc: to the temp 
mailing list.
So please subscribe to the mailing list (per one of Kurt's previous notes 
to you this
week) if you haven't already done so.

thanks.
Ellen


>X-Sender: guru@infidel.boolean.net 
>X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
>Date: Wed, 29 Mar 2000 21:29:18 +0900
>To: stokes@austin.ibm.com 
>From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
>Subject: KerberosId/UserID/access-id (two)
>Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
>
>Fixed Typos...
>
>Requirement as discussed:
>The LDAP ACI model must be capable of supporting all authorization
>identify forms prescribed by the the protocol (and detailed by
>the "Authentication Methods for LDAP" (authmeth) draft).  This
>draft has been approved for publication as a Proposed Standard.
>
>New Issue:
>AuthMeth draft allows for addition of authorization forms and
>these need to be supported by ACIs.  It should not be necessary
>to update both the AuthMeth spec and the ACI spec to add authorization
>forms to LDAP.  Such additions should only require extension as
>described by authmeth.
>
>Solution:
>
>Rework the LDAPaci BNF such that the access-id is an AuthMethod
>AuthzId.
>
>For example:
>
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>                          #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>                          #access-id#u:jsmith@REALM
>
>Then, if and when AuthMeth is extended to support some new
>form "guid:", the following would be allowed withOUT requiring
>a separate update of the ldapACI specification.
>
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>                          #access-id#guid:0xbad1D
>
>
>I would also suggest "access-id" be changed to "authzID".
>
>If you would like to discuss this issue, I should be available
>tomorrow afternoon (prior to LDUP session).
>
>         Kurt
>
>
>

Follow-Ups:
- Re: Fwd: KerberosId/UserID/access-id
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: LDAP ACL Architecture
Next by Date: Fwd: KerberosId/UserID/access-id
Index(es):
- Chronological
- Thread