[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: expansion of groups/roles/subtree subjects in LDAP ACM

To: "'robert byrne'" <robert.byrne@Sun.COM>
Subject: RE: expansion of groups/roles/subtree subjects in LDAP ACM
From: Brian Jarvis <bjarvis@internap.com>
Date: Mon, 9 Jul 2001 11:47:45 -0600
Cc: ietf-ldapext@netscape.com

Rob,

I think we need to differentiate between grant and deny acis when evaluation
fails--we should always fail toward denying the access.  On failure, a grant
aci should assume the aciSubject does not apply while a deny aci should
assume that it does apply.

--the walrus

> -----Original Message-----
> From: robert byrne [mailto:robert.byrne@Sun.COM]
> Sent: Monday, July 09, 2001 8:25 AM
> To: Kurt D. Zeilenga
> Cc: john.strassner@intelliden.com; Ryan Moats; 
> ietf-ldapext@netscape.com
> Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
> 
> 
> 
> Kurt,
> 
> I think what's needed here is for the draft to specify that, if the
> evaluation of any part of the subject fails, then the subject part of
> that aci does not apply.  So we can change the intro to 4.3.2.4 to
> something like:
> 
> "4.3.2.4  Applicability Rules for Subjects
> 
> Call the subject portion of the ACI in question aciSubject.  Then to
> determine if aciSubject applies to requestorSubject we apply the
> following rules.  In the case where the server fails to evaluate a
> rule and so fails to fully confirm that aciSubject applies, then
> aciSubject does not apply."
> 
> Rob.
> 
> John Strassner wrote:
> > 
> > agreed, except that noting in the log system that the 
> group/role/subtree
> > has not been fully expanded **may** give, in some cases, 
> more information
> > than needed and be a start in compromising security.
> > 
> > regards,
> > John
> > 
> > -----Original Message-----
> > From: Ryan Moats [mailto:rmoats@lemurnetworks.net]
> > Sent: Thursday, July 05, 2001 2:18 PM
> > To: Kurt D. Zeilenga
> > Cc: ietf-ldapext@netscape.com
> > Subject: Re: expansion of groups/roles/subtree subjects in LDAP ACM
> > 
> > On Thu, Jul 05, 2001 at 12:58:23PM -0700, Kurt D. Zeilenga wrote:
> > > How are exceptional conditions in expanding
> > > groups/roles/subtrees to be handled?  In particular,
> > > what is the ACM behavior when the groups/roles/subtrees
> > > cannot be fully expanded and the requestor's DN is not
> > > found in the partial set of DNs?
> > >
> > > Kurt
> > 
> > Well as an initial (not perfect) suggestion I would opt for
> > notifying via the log system that the group/role/subtree
> > has not been fully expanded and that access has been denied
> > because the DN is not in the partial set.
> > 
> > Ryan
>

Follow-Ups:
- Re: expansion of groups/roles/subtree subjects in LDAP ACM
  - From: robert byrne <robert.byrne@sun.com>

Prev by Date: how to get org.ietf.ldap package
Next by Date: Recall: expansion of groups/roles/subtree subjects in LDAP ACM
Index(es):
- Chronological
- Thread