[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

To: 'Mark Smith' <mcs@netscape.com>
Subject: RE: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
From: "Miklos, Sue A." <samiklo@missi.ncsc.mil>
Date: Mon, 18 Oct 1999 08:59:39 -0400
Cc: "Subbu K. K." <KKSUBRAMANIAM@novell.com>, ietf-ldapext@netscape.com
Resent-date: Mon, 18 Oct 1999 09:49:52 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"O1jBM.A.M0E.U-0C4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt

Mar,

I agree that there should be a default condition if no aci exist and that the safest way is to deny. I am also presuming that the context is through a networked connection and that any administrative (or local to host) accesses are managed through some other means.

My belief was that the access control decision module would be invoked any time an access was requested, regardless of whether the access came through a protocol exchange across a network or through a PIN/Password/token access through the host.

We struggle to get modular security code through our evaluation processes. It is more efficient to use the same module and the same aci information (certificate, time of day, 'label' on the file/data) for user/network and administrator/local accesses.

My apologies.

Sandi

-----Original Message-----
From: Mark Smith [mailto:mcs@netscape.com]
Sent: Friday, October 15, 1999 11:58 AM
To: Miklos Sue A.
Cc: Subbu K. K.; ietf-ldapext@netscape.com
Subject: Re: grant / deny precedence
indraft-ietf-ldapext-acl-model-04.txt

> "Miklos, Sue A." wrote:
>
> To clarify (which I almost always have to do) -
>
> If an access control model exists with a range of accesses associated
> (individual, roles, group of names, etc.) and if ACI are present, the
> default condition should ensure that, until all criteria are
> successfully met, a deny exists. If there are any ambiguities when
> determining rights, always default to a deny.
>
> I am somewhat confused about your first case... If there are no access
> control rules, then the condition is not relevant. If there are no
> criteria imposed to access the repository, then it should be
> accessible (and modifiable?) by all. The absence of ACI implies that
> all information contained within meets the "front page of the New York
> Times" criteria... publically available to all.

The best behavior when an access control scheme is in effect and
supported by a server but no aci attributes exist is subject to debate.
Different implementations have chosen different paths. For example, in
the University of Michigan LDAP 3.3 slapd code, the absence of any
access control configuration provides read access to everyone but in
Netscape Directory Server (all versions so far) the same situation
results in no access to anyone. I prefer the latter behavior because it
is safer.

--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?

Prev by Date: RE: I-D ACTION:draft-ietf-ldapext-ldapv3-dupent-02.txt
Next by Date: RE: I-D ACTION:draft-ietf-ldapext-ldapv3-dupent-02.txt
Index(es):
- Chronological
- Thread