RE: LDAPv3 Replication Access Control Design Team Report

[John McMeeking <jmcmeek@xxxxxxxxxx>]

I agree with Tim.

I see this as similar to how X.501 separates the general security model
from a specific access control model.  The X.501 security model defines a
mechanism for identifying the access control schema and its scope of
control, while its Basic Access Control defines one (of possibly many)
access control schemes.

I think we need the security model portion.  At a minimum it provides a
basis for determining whether all the servers support a given access
control scheme.  Beyond that, if a server supported multiple access control
schemes, it provides a framework for specifying which access control scheme
is used for some area of the DIT, or how servers should behave in the
presence of differing or identical acces control schemes.

We do not need to specify a specific access control scheme.  We need to
ensure that LDUP makes consistent access control across servers possible,
possibly specifying that ACI is replicated (if the specific scheme
represents ACI as operational attributes and/or LDAP objects).  I'm sure
some folks would love it if they could manage access control across a
hetergenous directory network, but that is a much tougher nut to crack --
both from the perspective of agreeing on such a beast, and then getting
vendors to implement it.

Given the security model pieces, we can then define how LDUP should handle
ACI information.  For example:
- If the same access control scheme is used on two servers that replicate
to one another, the attributes and / or LDAP objects that define ACI are
replicated.
- If different access control schemes are used -- writeable server(s) use
same model to control updates, read only servers might allow anonymous
searches to all data -- LDUP could use this knowledge to not replicate the
same attributes and / or objects.

The above does not require that we define a specific scheme, only that we
have a means to identify -- possibly select -- the access control model
used by various servers for a given area of the DIT, and that a server that
implements an access control model know how to behave with respect to
replication of access control information.


John  McMeeking
jmcmeek@xxxxxxxxxx



                                                                                                                                       
                      Timothy                                                                                                          
                      Hahn/Durham/IBM@I        To:       ietf-ldup@xxxxxxx                                                             
                      BMUS                     cc:                                                                                     
                      Sent by: owner-          Subject:  RE: LDAPv3 Replication Access Control Design Team Report                      
                      ietf-ldup@mail.                                                                                                  
                      imc.org                                                                                                          
                                                                                                                                       
                                                                                                                                       
                      09/10/2002 08:04                                                                                                 
                      AM                                                                                                               
                                                                                                                                       
                                                                                                                                       





Kurt,

My opinions below.

Regards,
Tim Hahn

Internet: hahnt@xxxxxxxxxx
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2540




                      "Kurt D.

                      Zeilenga"                To:       <capple@dsi-
consulting.net>
                      <Kurt@xxxxxxxxxxx        cc:       <ietf-ldup@imc.
org>
                      g>                       Subject:  RE: LDAPv3
Replication Access Control Design Team Report
                      Sent by:

                      owner-ietf-ldup@m

                      ail.imc.org



                      09/10/2002 08:42

                      AM







Let's cut to the key question:

  Does LDAP replication REQUIRE a standard LDAP ACM?

(REQUIRE here in the RFC 2119 sense).
TJH> I believe that LDAP replication MUST ensure that the security
TJH> (i.e. authorization to access - add/modify/search/delete)
TJH> is NOT compromised by the LDAP replication mechanism defined.
TJH>
TJH> Thus, I believe that LDAP replication REQUIRES that access
TJH> control issues be "attended to" (in the RFC 2119 sense).
TJH>
TJH> But I DO NOT feel that LDAP replication needs define a specific
TJH> Access Control Model (ACM).  LDAP replication need only ensure
TJH> that SOME ACM can be applied across the servers involved in the
TJH> data replicated amongst them and that LDAP replication doesn't
TJH> "mess that up".

If the consensus is yes, then we should determine how this
requirement is going to be fulfilled.  (I note that the
proposed plan doesn't produce a standard LDAP ACM.)

If the consensus is no, then we need not determine how an
LDAP ACM will or will not be produced.  It simply can remain
out of scope.

TJH> Unfortunately, I don't believe the answer is as "binary"
TJH> as this.  LDAP replication REQUIRES that things be done
TJH> "securely" but it does NOT REQUIRE a specific ACM.

I see little point is discussing the details of the plan
until we've actually agreed upon requirements...

Kurt