[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Adding to the LDAP ACM to a WG charter
As someone who needs to deploy a global directory that contains white, blue
and yellow pages data, as well as key management data, I am not in an
operational environment that permits one group or person to manage all the
My accountability and separation of duty requirements on the administrators
of this system lead us to more than simplistic access control models.
Replication of that data to any portion of the system, as well as a
standardized process for performing the access control decision function is
very high on the requirements list.
We are hampered in our ability to select different products for our
directory services by the lack of a standardized approach. The initial
rollout/deployment will be product-specific because the interoperability
cannot be tested or specified in procurement documents, since it does not
exist in a standardized way.
To be fair, we are also hampered by a standardized means of deriving the
ownership rules of the data and I would like to see some additional work
done on development of that kind of framework. I believe the OpenGroup has
expressed interest in helping establish the framework. However, without a
standardized means of replicated the AC information, we cannot progress
beyond a homogenous directory server environment.
National Security Agency
V5 Technical Director - Security
From: Paul Leach [mailto:paulle@xxxxxxxxxxxxxxxxxxxxx]
Sent: Monday, November 19, 2001 4:18 PM
To: Ryan Moats; Steven Legg
Subject: RE: Adding to the LDAP ACM to a WG charter
> -----Original Message-----
> From: Ryan Moats [mailto:rmoats@xxxxxxxxxxxxxxxxx]
> Sent: Monday, November 19, 2001 11:25 AM
> To: Steven Legg
> Pardon? I thought the idea of LDUP was a standard that would
> lead to interoperability. I don't see how this is possible
> if deployment is ignored.
I believe that a quite useful replicated directory could be deployed
with limited security functionality until an ACM standard is completed.
How, you ask? As someone else noted, the access policy could be kept in
synch out of band. In practice, that would mean access policy would have
to be simple, and change infrequently. A very useful, and quite
depoyable, policy that meets that requirement is one that allows
everyone read, and one person or group update, to the contents of the
whole server (or whole naming contexts within the server, if you want to
get slightly more complex).