[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI syntax and matching rules and more

To: George_Robert_Blakley_III@tivoli.com
Subject: Re: ldapACI syntax and matching rules and more
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 16 Mar 2000 08:41:09 -0800
Cc: Ellen Stokes <stokes@austin.ibm.com>, ietf-ldapext@netscape.com
In-reply-to: <862568A4.004B26C5.00@tivmta4.tivoli.com>
Resent-date: Thu, 16 Mar 2000 08:41:36 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <TK_nZC.A.DJE.x6Q04@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 10:10 AM 3/16/00 -0600, George_Robert_Blakley_III@tivoli.com wrote:
>>Also, I think KerberosId should be generalized.  I suggest
>>referring to it as a UserId which allows any UTF-8 printable
>>string.  This maps better onto authmeth's authzid "u:".
>>If left as a KerberosId, it should not be a SHOULD.
>
>This is "OK", but it needs to be possible to avoid name capture
>in cases where different authentication mechanisms are supported to the
>same directory.  I don't want someone to be able to use a
>"foo-name" which is lexically the same as someone else's kerberosid
>to get access to resources illicitly.

To resolve this issue, I suggest relating the ACI "userid" to the
Authmeth AuthzId "u:".  As new forms were added to AuthzId, a new
form can be added to ACIs (and vice versa).

>>How does a ACL granting access to an attribute types superior affect
>>access the attribute type?  Ie: does granting access to 'name'
>>allow access to 'cn'?
>
>In the current draft the answer is no, and I'd prefer to keep it
>this way in order to keep the ACL resolution algorithm simple.  If we
>implement semantics like these, then we need to do bunch of type
>resolution at access check time -- could be a performance problem.

I would note that ACL management already requires a bunch of type
resolution checks to handle attribute subtypes (ie: lang- tags)
and alternative name forms (OID vs. multiple names).  Given this
(and my experience implementing such) the performance hit of
checking superiors (via sup) is actually quite minimal and,
depending on the implementation quite natural (ie: it may actually
be harder NOT to provide such support).

>>[I'd like wildcard support... ie: 10.*.*.* or 10.0.0.0/8
>>or 10.0.0.0:255.0.0.0]
>Again, I don't want to do wildcarding because it requires a complicated
>evaluation
>code-path at access check time.

Even where that complication makes rules easier to manage and
likely to be much "quicker"?  The example I gave would require 2^24
times more ACI values to implement without wildcarding.

Kurt

References:
- Re: ldapACI syntax and matching rules and more
  - From: George_Robert_Blakley_III@tivoli.com

Prev by Date: Re: ldapACI syntax and matching rules and more
Next by Date: ldapACI: familyOID
Index(es):
- Chronological
- Thread