[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Fwd: KerberosId/UserID/access-id

To: "Jim Sermersheim" <JIMSE@novell.com>
Subject: Re: Fwd: KerberosId/UserID/access-id
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 14 Apr 2000 13:15:05 +0200
Cc: <ietf-ldapext-acm@OpenLDAP.org>
In-reply-to: <s8f5cf0a.037@prv-mail20.provo.novell.com>

At 01:43 PM 4/13/00 -0600, Jim Sermersheim wrote:
>How much does this differ from the way the BNF has been reworked? I guess we need to change kerberosID to u, but is the current format workable?

Well, your syntax would require that any addition to authmeth be
coordinated with ACM specs.  My suggest provides separation of
namespace such that additions to authmeth are guaranteed not to
conflict with ACM specs.


>Jim
>
>>>> Ellen Stokes <stokes@austin.ibm.com> 4/12/00 10:07:21 PM >>>
>Here's Kurt's proposal on aligning KerberosID in access control model spec
>with the authmeth spec.
>
>So have at it for discussion on the mailing list - this will be an agenda item
>for the April 18 conference call.
>
>By the way, I'm sending this to the new mailing list AND cc: to the temp 
>mailing list.
>So please subscribe to the mailing list (per one of Kurt's previous notes 
>to you this
>week) if you haven't already done so.
>
>thanks.
>Ellen
>
>
>>X-Sender: guru@infidel.boolean.net 
>>X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
>>Date: Wed, 29 Mar 2000 21:29:18 +0900
>>To: stokes@austin.ibm.com 
>>From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
>>Subject: KerberosId/UserID/access-id (two)
>>Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
>>
>>Fixed Typos...
>>
>>Requirement as discussed:
>>The LDAP ACI model must be capable of supporting all authorization
>>identify forms prescribed by the the protocol (and detailed by
>>the "Authentication Methods for LDAP" (authmeth) draft).  This
>>draft has been approved for publication as a Proposed Standard.
>>
>>New Issue:
>>AuthMeth draft allows for addition of authorization forms and
>>these need to be supported by ACIs.  It should not be necessary
>>to update both the AuthMeth spec and the ACI spec to add authorization
>>forms to LDAP.  Such additions should only require extension as
>>described by authmeth.
>>
>>Solution:
>>
>>Rework the LDAPaci BNF such that the access-id is an AuthMethod
>>AuthzId.
>>
>>For example:
>>
>>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>>                          #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
>>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>>                          #access-id#u:jsmith@REALM
>>
>>Then, if and when AuthMeth is extended to support some new
>>form "guid:", the following would be allowed withOUT requiring
>>a separate update of the ldapACI specification.
>>
>>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
>>                          #access-id#guid:0xbad1D
>>
>>
>>I would also suggest "access-id" be changed to "authzID".
>>
>>If you would like to discuss this issue, I should be available
>>tomorrow afternoon (prior to LDUP session).
>>
>>         Kurt
>>
>>
>>
>
>
>

References:
- Re: Fwd: KerberosId/UserID/access-id
  - From: "Jim Sermersheim" <JIMSE@novell.com>

Prev by Date: Fwd: KerberosId/UserID/access-id
Next by Date: Re: ACM Security Considerations
Index(es):
- Chronological
- Thread