[Date Prev][Date Next] [Chronological] [Thread] [Top]

required permissions for search

To: ietf-ldapext@netscape.com
Subject: required permissions for search
From: robert byrne <robert.byrne@Sun.COM>
Date: Mon, 07 May 2001 12:21:19 +0200
Organization: Sun Microsystems

 
All,

I would like to present a final idea for what should be the required
permissions for the search operation (section 5.2).  I hope this wraps
up some recent threads on access control for search.

The problem is to decide which directory things need to be protected by
access control when a search operation is being carried out.  I see 6
potentially important things:

1. scope.
Have you the right to use the specified scope to see that entry ?
You need browse permission to be able to get at entries below the base
of your search.

2. entry-level read
Have you the right to 'read' the entry ?  We can see this as a
permission that protects the whole entry in one go--the dn of the entry
and the attributes of the entry.

3. filter test
 3a. Have you the right to use the attributes in the entry in a search
filter ?
 3b. Have you the right to  use the attributes in the entry's dn in a
search filter (applies only for extensible match if dnAttributes is
true) ?

4. attribute-level read
Have you the right to see the type and value of a given attribute in
that entry ?

5. return dn
Have you the right to see the dn of the entry ?  If you do not have the
right an alias of some kind may be returned.

6. disclose on error
Have you the right to discover even the presence of the entry ?

We can arrive at different models by choosing to require or not each of
these items on every candidate entry to be returned during a search
operation.  The last mail I sent in the "browse permission in the ACM"
thread proposed requiring 1, 3a, 3b, 4, 5, 6.  

In fact I think  1, 2, 3a, 4, 5, 6 is better.  The reason is that I
think an entry-level read permission (2) is a good idea anyway to be
able to turn off access to aliased base entries at the entry level. 
Also 2. is easy to understand in that it does not depend on the scope or
whether an alias is defined.  Also, I don't like 3b because it implies
looking at the attributes in an entry's dn and I think in an ACM it is
better for efficiency reasons to protect the dn at the entry level (ie.
entry-level read and return dn).

So the next version of the acm draft will have 1, 2, 3a, 4,5, 6 if
no-one objects.

Rob.

Prev by Date: protect yourself !
Next by Date: I-D ACTION:draft-ietf-ldapext-ldap-java-api-14.txt
Index(es):
- Chronological
- Thread