[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Controls - a suggested change to X.500

To: ietf-ldapext@netscape.com
Subject: Access Controls - a suggested change to X.500
From: David Chadwick <d.w.chadwick@iti.salford.ac.uk>
Date: Wed, 30 Sep 1998 09:12:44 +0100
Organization: University of Salford
Resent-date: Wed, 30 Sep 1998 01:13:07 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"oMedu.0.3r6.HWU4s"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Folks,

at the recent X.500 meeting in Beijing a defect report on access controls for ModifyRDN was discussed, which suggested a minor change to the current scheme. I enclose the rationale and proposed changes below. The X.500 group have agreed in principle to the change, but seeing as it will effect existing implementations, the X.500 group are welcoming comments from suppliers before finally submitting the defect for balloting. I am forwarding this news to the LDAP group, since access controls are very important to this list, and there was some desire on this list for LDAP and X.500 access controls to be compatible.

Rationale

The independence of Access Control permissions has in general been adopted. However, one exception exists. The standard explicitly states that ModifyRDN permission grants Modify permission on attributes (plural) in the RDN. Specifically it prevents a DSA administrator from setting up a natural scenario where a user has permission to modify one attribute in a multi-attribute RDN and not another. Many directories (e.g. Entrust) use CN and uniqueidentifier (or similar) to identify organisational users. If we wished to allow the CN to be changed by end users or their agents, but wish to maintain control over the unique identifier, we cannot do this as the standard currently stands.
11. Solution Proposed by the Source: (optional)
The proposed behaviour is for ModifyRDN and Modify permissions to be independent, in line with the rest of the permissions. So to change any component of an RDN, both ModifyRDN permission and Modify permission are needed for any attribute in the RDN to be altered.
With the current permissions, one can construct an ACI so that a user may change a value if it is in an RDN, but not change a non-RDN value, and this ability would be lost with the proposed change. However, it is difficult to construct a real scenario where anyone would want this capability, and so the gain is far more than the loss.

***************************************************

David Chadwick
IT Institute, University of Salford, Salford M5 4WT
Tel +44 161 295 5351  Fax +44 161 745 8169
Mobile +44 370 957 287
Email D.W.Chadwick@iti.salford.ac.uk
Home Page  http://www.salford.ac.uk/its024/chadwick.htm
Understanding X.500  http://www.salford.ac.uk/its024/X500.htm
X.500/LDAP Seminars http://www.salford.ac.uk/its024/seminars.htm

***************************************************











Prev by Date:
Re: draft minutes from Chicago meeting


Next by Date:
Re: draft minutes from Chicago meeting


Index(es):

Chronological
Thread