[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP Access Control

To: ietf-ldapext@netscape.com
Subject: LDAP Access Control
From: howes@netscape.com (Tim Howes)
Date: Thu, 02 Jul 1998 10:42:43 -0700
Cc: m.wahl@innosoft.com
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Thu, 2 Jul 1998 10:42:04 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"o6Vz42.0.e92.gPycr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Hi gang. The results from the great LDAP Access
Control Survey are in. Here they are, along with
our view of the consensus (or lack thereof!) and
how we should proceed. Comments welcome, but let's
try hard to start moving forward on this.

> QUESTION 1: Do you believe LDAPEXT should be trying to define
> requirements, framework, and/or a model for access control in
> LDAP directories?

We've had near-unanimous agreement that we should be working
on this problem. Our proposal for consensus is that the group
continue to work on this problem.

> QUESTION 2: Do you basically support the access control
> requirements draft (draft-ietf-ldapext-acl-reqts-00.txt)?

There have been some dissenters here, but opinions are running
3 to 1 that we should keep this document. Our proposal for
consensus is that the group keep working on this document with
the intention of progressing it.

> QUESTION 3: Do you basically support the access control model
> draft (draft-ietf-ldapext-acl-model-00.txt)?

By about the same margin, people don't seem to like this
document. Our proposal for consensus is that the group will
not progress this document in its current form.

> QUESTION 4: Do you think we should adopt the X.500(1993)
> basic access control model as the starting point for the LDAP
> access control model?

There are plenty of opinions on both sides of this issue, and
it is clear the group has not reached consensus. So, our proposal
for moving forward is that we continue the very useful discussions
started by Bob Blakeley and Steve Kille in the following way:

Those in favor this approach should produce an internet-draft that:

 - states the X.500 access control scheme to be used as a basis, and
 - defines what additions or deletions, if any, would be needed to it.

Assuming the group considers that this draft meets the requirements, 
it would be progressed as a recommended access control model for LDAP.

> QUESTION 5: Do you think we should specify only a framework
> for identifying access control models, and not define a
> single standards-track model for LDAP at this time?

The sentiment here seems to be both that a framework is a good
thing, but that it's not enough. So, our proposal for consensus
is that the group should develop a framework in parallel with
working on a particular model. The model the group designs can
be made mandatory to implement in an applicability statement
issued by this working group or another (e.g., LDUP).

-- Tim Howes and Mark Wahl

Prev by Date: I-D ACTION:draft-ietf-ldapext-x509-sasl-00.txt
Next by Date: RE: Names of Object Identifiers
Index(es):
- Chronological
- Thread