[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL all entry attribute keyword
Sanjay,
Previously we agreed to annotate the BNF to state which perms applied
to entries and which to attributes. For clarity, I've reworked the BNF
(just section 4.1.1 so far) to remove the annotation and state clearly in BNF.
Here it is (and I hope I got it right given I'm not a BNF expert)...
******start BNF***********
entryACI = rights "#" attr "#" subject
subtreeACI = rights "#" attr "#" subject
rights = (("grant:" / "deny:") permissions) /
("grant:" permissions ";deny:" permissions)
permissions = entryPerm ("," entryPerm)* "#[entry]" /
attrPerm ("," attrPerm)* "#[all]" /
attrPerm ("," attrPerm)* "#" (attribute ("," attribute)*)
entryPerm = "a" / ; add
"d" / ; delete
"e" / ; export
"i" / ; import
"n" / ; renameDN
"b" / ; browseDN
"t" ; returnDN
attrPerm = "r" / ; read
"s" / ; search
"w" / ; write (mod-add)
"o" / ; obliterate (mod-del)
"c" / ; compare
"m" ; make
attribute = ; OID syntax (1.3.6.1.4.1.1466.115.121.1.38)
; from [ATTR]
subject = ["authnLevel:" authnLevel ":"]
(("authzID-" authzID) /
("role:" dn) /
("group:" dn) /
("subtree:" dn) /
("ipAddress:" ipAddress) /
"public:" /
"this:")
authnLevel = "any" /
"simple" /
sasl /
"none" /
"anonymous" /
sasl = "sasl:"
("any" /
mechanism)
mechanism = ; sasl mechanism from 4.2 of [LDAPv3]
authzID = ; authzID from [AuthMeth] repeated below
; for convenience
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in [UTF]
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
; IP address
ipAddress = IPv6address | printableString
; printableString to use a wildcard
; domain name such as *.airius.com
; to specify a specific DNS domain
; following is excerpted from [IPV6]
IPv6address = hexpart [ ":" IPv4address ]
IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
IPv6prefix = hexpart "/" 1*2DIGIT
hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
hexseq = hex4 *( ":" hex4)
hex4 = 1*4HEXDIG
printableString ; printableString syntax from [ATTR]
*******endBNF***********
Ellen
At 12:50 PM 3/9/2001 -0800, Sanjay Panwar wrote:
Question on draft-ietf-ldapext-acl-model-07.txt
-----------------------------------------------------
WRT attr options
attr = "[all]" / "[entry]" / (attribute *("," attribute))
Is it necessary to have two different keywords to target Entry and All
attributes, since we already have separate set of permissions for entry
and attributes.
Is it not sufficient to have only one keyword, lets call it "[all
entry]", to target both entry and its attributes. Permission determines
whether it can be applied to an entry or attribute as illustrate below.
subtreeACI: grant:o # [all entry] # role:cn=SysAdmin,o=Company
; Applies to all attributes as o is attribute specific
permission
subtreeACI: grant:d # [all entry] # role:cn=SysAdmin,o=Company
; Applies to the entry as d is entry specific
permission
With the existing scheme it is possible to define following ACIs, which
do not have any meaning.
subtreeACI:grant:o#[entry]#role:cn=SysAdmin,o=Company
subtreeACI:grant:d#[all]#role:cn=SysAdmin,o=Company
- Panwar