[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI permissions

To: Kyungae_Lim@iris.com
Subject: Re: ldapACI permissions
From: George_Robert_Blakley_III@tivoli.com
Date: Wed, 22 Mar 2000 11:10:25 -0600
Cc: ietf-ldapext@netscape.com, djbyrne@us.ibm.com
Content-disposition: inline
Resent-date: Wed, 22 Mar 2000 09:20:20 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <k3RAVB.A.bsC.KDQ24@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


All,

> < djb > I agree with your analysis that having both delete and add
> permission on the object essentially means that one could delete the
> object, and re-add it, filling in attributes, and access control as it
> liked.    If the concern is that users would circumvent the access
control
> checks by doing this sort of thing, I might suggest that an auditing
> facility is needed for that directory.

> Is the suggestion here that  when creating an entry, a user can only set
> the values on those attributes to which he also has 'write' permission?
> Does this also mean the user needs 'write/delete' permission on all
> attributes which have values when he is deleting the entry?

I think both 'add' on entry and 'write' on attributes SHOULD be checked
when creating an entry.  Otherwise there is no way to prevent a user with
'add' permission only from filling in ldapACI or other security-sensitive
attribute values.
Auditing can help detecting the problem( after the fact), but shouldn't be
a substitue for access checking.


<bb> Note that implementations can use the "Policy Owner" attribute to insure
that ldapACI attributes
<bb> can't be changed by anyone other than security administrators - including
at object creation time.
<bb>
<bb> Given that there is this level of control (assuming an appropriate
implementation), it should be
<bb> possible to insure that the system configures a new entry's default Access
Control policy to
<bb> ensure what you want without having to force all implementations to do this
in a particular way.
<bb>
<bb> What we're really talking about here is the default policy which applies to
a newly created
<bb> object.
<bb>
<bb> Our choices here seem to be:
<bb>
<bb> (1) Allow the creator of the object to set values for specified attributes
(including ldapACI) based
<bb>       on permissions governed by an ACL inherited from an ancestor entry.
<bb> (2) Allow the creator of the object to set values for all attributes EXCEPT
ldapACI attributes
<bb>       -- only the policy owner can change the ldapACI attributes
<bb> (3) Allow the creator of the object to set values for ALL attributes - in
this case control over the
<bb>       ldapACI for the newly created object is governed by the ACL on the
containing directory.
<bb>
<bb> Can we get some discussion toward a consensus here?

--bob

Bob Blakley
Chief Scientist
Tivoli SecureWay Business Unit

Prev by Date: Re: ldapACI permissions
Next by Date: Re: Fwd: Comments on the ACL Model draft
Index(es):
- Chronological
- Thread