[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Access Control

To: "'Ed Reed'" <ED_REED@novell.com>, d.w.chadwick@iti.salford.ac.uk, howes@netscape.com, ietf-ldapext@netscape.com
Subject: RE: LDAP Access Control
From: Ron Ramsay <Ron.Ramsay@OpenDirectory.com.au>
Date: Mon, 22 Jun 1998 10:19:42 +1000
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Sun, 21 Jun 1998 17:27:07 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"UkpXC2.0.JG5.HJQZr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Prescriptive ACI would allow an organisation to allow a particular
individual (or role) to have access to the ACI implementing the Black
Hole. Database surgery would not be required.

Similarly, portions of the tree can be made invisible to
non-authenticated users but could be visible to a) all authenticated
users, or b) particular users or groups of users.

My comments of course apply to the X500 Access Control Model.

Ron.

> -----Original Message-----
> From:	Ed Reed [SMTP:ED_REED@novell.com]
> Sent:	Saturday, June 20, 1998 2:24 AM
> To:	d.w.chadwick@iti.salford.ac.uk; howes@netscape.com;
> ietf-ldapext@netscape.com
> Subject:	Re: LDAP Access Control
> 
> David - a note on disallowing traversal of namespaces....
> 
> We see this fairly often in customer requirements for enterprise
> directories.  The engineering organization has a portion of the tree
> which is used for test purposes only, but for which it is convenient
> to have it linked into the rest of the namespace for single signon and
> name resolution purposes.  However, they run the partitioning, schema
> management, and other aspects of the tree independently.
> 
> Now, a high security research project comes along for which they want
> complete anonymity, but again, want to use their user names, etc
> defined in the public parts of the tree as part of their access
> controls and so forth in that portion of the tree.
> 
> Note a few interesting things about resolve name operations in
> distributed directories, in this scenario...
> 
> If you allow unauthenticated (ie, public) traversal of the namespace,
> it's quite possible to ascertain quite a lot about the organization
> and its view of itself.  If you allow unauthenticated (ie, public)
> name resolution (for initial login, for instance) of objects in the
> hidden namespace, you AT LEAST have to allow visibility to the
> knowledge references for internal partitions within the
> namespace...which again provides quite a bit of information about it.
> This would be particularly true in a Microsoft Active Directory
> Service, where each partition is doubling service as an NT domain.
> 
> Bottom line is that some customers DO want to be able to create black
> holes in their namespace.  And if you allow it, you have to treat it
> kind of like you do the ability to run without key recovery - if you
> lose the key, you've lost the data, with no recourse.  Same thing
> applies to the namespace - if you create the black hole, and then fail
> to retain the ability to access and manage it, it's lost to you
> (unless you're willing to go in with database pointer editors to
> remove the blocking ACI - tantamount to key recovery in the example
> before).
> 
> Such "fire walls" are certainly going to be necessary if corporate
> directories, like their networks, achieve greater connectivity to the
> outside, hostile world.
> 
> Ed
> 
> -------------------
> Ed Reed, Technologist
> Group Technology Office
> Novell, Inc.
> +1 801 861 3320
> 
> >>> "David Chadwick" <d.w.chadwick@iti.salford.ac.uk> 06/19/1998
> 01:51:36 >>>
>

Prev by Date: Re: LDAP Access Control
Next by Date: Re: LDAP Access Control
Index(es):
- Chronological
- Thread