Re: ACL all entry attribute keyword

[Ellen Stokes <stokes@austin.ibm.com>]

Sanjay,

Previously we agreed to annotate the BNF to state which perms applied
to entries and which to attributes.  For clarity, I've reworked the BNF
(just section 4.1.1 so far) to remove the annotation and state clearly in BNF.

Here it is (and I hope I got it right given I'm not a BNF expert)...

******start BNF***********

 entryACI = rights "#" attr "#" subject

 subtreeACI = rights "#" attr "#" subject

 rights = (("grant:" / "deny:") permissions) /
          ("grant:" permissions ";deny:" permissions)

 permissions = entryPerm ("," entryPerm)* "#[entry]" /
               attrPerm ("," attrPerm)* "#[all]" /
               attrPerm ("," attrPerm)* "#" (attribute ("," attribute)*)

 entryPerm = "a" / ; add
             "d" / ; delete
             "e" / ; export
             "i" / ; import
             "n" / ; renameDN
             "b" / ; browseDN
             "t"   ; returnDN

 attrPerm = "r" / ; read
            "s" / ; search
            "w" / ; write (mod-add)
            "o" / ; obliterate (mod-del)
            "c" / ; compare
            "m"   ; make

 attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38)
             ;     from [ATTR]

 subject = ["authnLevel:" authnLevel ":"]
             (("authzID-" authzID) /
             ("role:" dn) /
             ("group:" dn) /
             ("subtree:" dn) /
             ("ipAddress:" ipAddress) /
             "public:" /
             "this:")

 authnLevel = "any" /
              "simple" /
              sasl /
              "none" /
              "anonymous" /

 sasl = "sasl:"
        ("any" /
        mechanism)

 mechanism = ; sasl mechanism from 4.2 of [LDAPv3]

 authzID = ; authzID from [AuthMeth] repeated below
           ;    for convenience

 authzId = dnAuthzId / uAuthzId

 ; distinguished-name-based authz id.
 dnAuthzId  = "dn:" dn

 dn = utf8string ; with syntax defined in [UTF]

 ; unspecified userid, UTF-8 encoded.
 uAuthzId   = "u:" userid
 userid     = utf8string ; syntax unspecified

 ; IP address
 ipAddress   = IPv6address | printableString
               ; printableString to use a wildcard
               ;    domain name such as *.airius.com
               ;    to specify a specific DNS domain

 ; following is excerpted from [IPV6]
 IPv6address = hexpart [ ":" IPv4address ]
 IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
 IPv6prefix  = hexpart "/" 1*2DIGIT

 hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
 hexseq  = hex4 *( ":" hex4)
 hex4    = 1*4HEXDIG

 printableString ; printableString syntax from [ATTR]

*******endBNF***********

Ellen



At 12:50 PM 3/9/2001 -0800, Sanjay Panwar wrote:

> Question on draft-ietf-ldapext-acl-model-07.txt
> -----------------------------------------------------
>
> WRT attr options
>                attr = "[all]" / "[entry]" / (attribute *("," attribute))
>
> Is it necessary to have two different keywords to target Entry and All
> attributes, since we already have separate set of permissions for entry
> and attributes.
>
> Is it not sufficient to have only one  keyword, lets call it "[all
> entry]",  to target both entry and its attributes. Permission determines
> whether it can be applied to an entry or attribute as illustrate below.
>
>   subtreeACI: grant:o # [all entry] # role:cn=SysAdmin,o=Company
>                   ; Applies to all attributes as o is attribute specific
> permission
>   subtreeACI: grant:d # [all entry] # role:cn=SysAdmin,o=Company
>                  ; Applies to the entry as d is entry specific
> permission
>
>  With the existing scheme it is possible to define following ACIs, which
> do not have any meaning.
>
>   subtreeACI:grant:o#[entry]#role:cn=SysAdmin,o=Company
>   subtreeACI:grant:d#[all]#role:cn=SysAdmin,o=Company
>
> - Panwar