Re: subjects in LDAP ACMs

[robert byrne <robert.byrne@Sun.COM>]

Kurt,

Conceptually it's certainly helpful to seperate the authzid type
subjects from factors like authnLevel, ipaddress/dns name etc.  However,
in so far as a factor is typically an extra refinement on authzID's (eg.
grant the access if it's cn=rob,o=sun.com AND he's authenticated using
SASL-DIGEST-MD5) I think factors are still very "subjecty" things.  Is
the trend of your thought to move factors into a say "factor" keyword
and then require that the subject AND factor keywords are satisfied ?

What do you mean by "authorized" below ?

BTW, do you think it would be interesting to allow boolean combinations
of subjects in the same aci ?

Rob.

"Kurt D. Zeilenga" wrote:
> 
> I note that the LDAP ACI syntax only allows a single
> subject per value though it is likely quite desirable
> to treat certain kinds of subjects as orthogonal factors
> in the ACM.  For example, it might be useful to say
> "authzId X via Y method gets Z permission".
> 
> However, adding additional, independent factors to
> the ACM adds to the complexity of specification so
> we must tread lightly.
> 
> My first suggestion would be remove subjects based
> upon orthogonal factors from the ACM, then to discuss
> support for orthogonal factors such as authnLevel.
> 
> I suggest Subjects be based solely upon presence, absence,
> or value of the authorization identity.  Hence, I suggest
> (provided in suggested precedence order):
> 
>   subject = this          ; self
>   subject /= "authzID-" authzID)
>   subject /= ("role:" dn)
>   subject /= ("group:" dn)
>   subject /= ("subtree:" dn)
>   subject /= authorized   ; authenticated and authorized
>   subject /= anonymous    ; unauthenticated
>   subject /= public       ; any user
> 
> Kurt