Dashboard > ApacheDS Addons > ... > Developer's Guide > Access Controls
ApacheDS Addons
Access Controls
Added by Alex Karasulu, last edited by Alex Karasulu on Oct 29, 2005  (view change)
Labels: 
(None)


Prerequisits

RFCs and Drafts

  • RFC 3672
  • Failed Draft: [Lightweight Directory Access Protocol (LDAP):
    Access Control Administration|http://www.dfn-pca.de/bibliothek/standards/ietf/none/internet-drafts/draft-legg-ldap-acm-admin-03.txt]
  • Failed Draft: [Lightweight Directory Access Protocol (LDAP):
    Directory Administrative Model|http://www.dfn-pca.de/bibliothek/standards/ietf/none/internet-drafts/draft-legg-ldap-admin-02.txt]
  • Failed Draft: Access Control Model for LDAPv3

X.501

  • Section 4: Directory Administrative Model (pages 28-33)
  • Section 5: Model of Directory Administrative and Operational Information (pages 34-40)
  • Section 8: Security
    • pages 89-106
    • skip sections 17.3.1 and 17.3.2 on pages 90-93
  • Annex E: Basic Access Control in ASN.1 (pages 169-171)
  • Annex L: Overview of Basic Access Control Permissions (pages 192-195)
  • Annex M: Example of Access Control (pages 196-212)

More Info

Things to ignore while reading X.501

  • Anything on attribute contexts which are not included in LDAP
  • Anything on entry families which also is not included in LDAP
  • Operations like List which are not LDAP operations

Some ideas on implementing ACIs

Subentries will be used to manage prescriptive (en mass) access controls based on subtree specifications. Entry ACIs will be used for better control over individual entries. This allows us to manage Directory Access Control Domains (DACD) within an access control specific authoritative area.

Obviously not all aspects of X.501 shall be incorporated into an LDAP definition for prescriptive ACIs and entry ACIs. We will borrow what is necessary and leave behind elements that are specific to the X.500 protocol.

One key problem to overcome while implementing access controls is how to efficiently track the various administrative points an entry is associated with. To be more precise the entry must be associated with zero or more subentries by way of their subtree specification. An administrative point for access control may have several subentries defining subtrees and refinements that can intersect. Furthermore there are nested inner administrative points with their own subentries.

Perhaps the best way to proceed would be to sacrifice write performance in favor of reads. Entries upon addition can be tested to see if they fall within a set of administrative points existing within the server. If the entry falls under an administrative point then the subentries of that AP and its inner areas are tested to see if they encompass the entry. If they do operational attributes are added to the entry to reference the subentries within APs that select that entry.

At search time, subentires are rapidly located and their access control information is evaluated for the candidate entry.

Children   Hide Children | View in hierarchy
ABNF syntax for LDAP ACIItem (ApacheDS Addons)
Access Control Implementation Notes (ApacheDS Addons)
Access Control Notes from X.501 (ApacheDS Addons)
ACIItem Extensions (ApacheDS Addons)
ASN.1 syntax for X.501 ACIItem (ApacheDS Addons)

Site running on a free Atlassian Confluence Open Source Project License granted to Safehaus. Evaluate Confluence today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.5.4 Build:#809 Jun 12, 2007) - Bug/feature request - Contact Administrators