[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control document

To: ietf-ldapext@netscape.com
Subject: Access Control document
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
Date: Tue, 10 Feb 1998 12:25:56 +1100
Cc: ietf-asid@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Mon, 9 Feb 1998 17:30:43 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"6qsJv3.0.AM3.2twtq"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


Re Title		: Access Control Requirements for LDAP
	Author(s)	: B. Blakley, E. Stokes, D. Byrne, P. Behera
	Filename	: draft-ietf-ldapext-acl-reqts-00.txt
	Pages		: 10
	Date		: 17-Oct-97


While appreciating the need to have a requirements document, I think its
also a requirement to have a common operational policy view for dealing
with ACI standardisation. Naturally and as expected, I will request that
the X.500 Authentication/ACI model is followed and its ACI definition
used - in doing that, it means that customers who use integrated X.500
DSAs (as DSAs or  LDAP servers) and standard LDAP servers can at least
see authentication and access control as common profiles with common
configuration mechanisms. ie develop a trust model with user profiles.

Authentication levels, User or Item First with Permissions and Denials
at the subtree, entry or attribute level seem a good model and is proved
to work. We in fact profile our ACI system so that User based profiles
of anon user, named user, user groups, own entry modification, and admin
user, etc  can be configured in minutes. Such ACI can be propagated
across many DSAs to form a coherent protection method over a distributed
directory system.


Is there anyone that is absolutely opposed to the X.500
Authentication/ACI model and why? Saying its "too complex" must not be
considered as a reason. 

ACI and its application to a distributed directory system which can be
applied as policy profiles is by definition a bit more than a "simple
protocol". In addition nested ACI regimes - which are necessary in
bigger systems will have to be proved to be effective - therefore making
it "simple" will probably mean its full of technical and operational
holes.

We (and now doubt others) have spent years in making ACI in X.500 bullet
proof and user friendly. And without such effort, public, end user - own
entry maintained directory systems will be impossible.

ie fragility in the LDAP ACI spec or its operational application will
render directories useless.

I seek that maximum effort is applied in keeping the LDAP/X.500 ACI
model consistent. Any deviation should be objectively discussed.

comments are welcome and all those in favour please say so.


regards and thanks alan

PS.  we put in LDAP access interfaces and LDAP server links to our DSA
to give LDAP clients access to distributed DSAs and LDAP servers - At
the core of this system is X.500 ACI regimes which work well. 


It is also noted that IBM also provide X.500 technology - so it would be
most suppliers interests to standardise in this area.

Follow-Ups:
- Re: Access Control document
  - From: Steve Kille <S.Kille@isode.com>

Prev by Date: I-D ACTION:draft-ietf-ldapext-acl-reqts-00.txt
Next by Date: Re: Access Control document
Index(es):
- Chronological
- Thread