[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Policy Security Consideration (Was: Replicating policy information)
I note that my statement:
In some cases, it may be desirable to share values
of policy information.
Applies not only to attributes/objects representing access control,
collective attributes, subschema, authentication, identity management,
etc., it also applies to the attributes/objects representing
replication policy. That is, there are cases where it is not
desirable to replicate attributes/objects representing replication
agreements. For example, where replication of that policy would
disclose, or make vulnerable, security sensitive information.
Security consideration:
As policy often contains confidential or otherwise security
sensitive information, LDAP Replication must not require
replication of policy information. LDAP Replication should
allow each server holding a (complete or fractional) copy of
an object to apply local policy. Coordination of policy
between servers is a matter left to controlling authorities
(e.g., the directory administrator(s)).
Kurt
At 07:52 AM 2002-09-10, Kurt D. Zeilenga wrote:
>John hits on a interesting point, but he limits it to just
>access control information. I also disagree with his
>conclusion he draws from the point.
>
>When replicating between heterogeneous servers, each server
>will have different operational attributes (as well as entries
>which only hold operational information). Some of these
>operational attributes are maintained by the server and provide
>information to the directory users. Some are maintained by
>directory users and are used by the directory server in its
>processing. Those of the latter can be viewed as policy
>attributes.
>
>In some cases, it may be desirable to share values of policy
>information. In other cases, no. What LDUP needs to ensure
>is that replications agreements can express the POLICY for
>which policy attributes are to be replicated and which ones are
>not to be replicated. Then the authority (or authorities)
>establishing the replication agreement will have the means
>for ensuring only information appropriate to be replicated
>is replicated.
>
>Hence, LDUP MUST support fractional and partial replication
>and LDUP replication agreements must be capable of expressing
>the fraction and/or part to be replicated.
>
>However, I believe it unwise (and insecure) for LDUP to
>support negotiate (select) what policy information should be
>exchanged between replicas. What to replicate should be
>explicit in the replication agreement.
>
>Kurt
>
>
>At 07:05 AM 2002-09-10, John McMeeking wrote:
>
>>
>>
>>
>>
>>
>>I agree with Tim.
>>
>>I see this as similar to how X.501 separates the general security model
>>from a specific access control model. The X.501 security model defines a
>>mechanism for identifying the access control schema and its scope of
>>control, while its Basic Access Control defines one (of possibly many)
>>access control schemes.
>>
>>I think we need the security model portion. At a minimum it provides a
>>basis for determining whether all the servers support a given access
>>control scheme. Beyond that, if a server supported multiple access control
>>schemes, it provides a framework for specifying which access control scheme
>>is used for some area of the DIT, or how servers should behave in the
>>presence of differing or identical acces control schemes.
>>
>>We do not need to specify a specific access control scheme. We need to
>>ensure that LDUP makes consistent access control across servers possible,
>>possibly specifying that ACI is replicated (if the specific scheme
>>represents ACI as operational attributes and/or LDAP objects). I'm sure
>>some folks would love it if they could manage access control across a
>>hetergenous directory network, but that is a much tougher nut to crack --
>>both from the perspective of agreeing on such a beast, and then getting
>>vendors to implement it.
>>
>>Given the security model pieces, we can then define how LDUP should handle
>>ACI information. For example:
>>- If the same access control scheme is used on two servers that replicate
>>to one another, the attributes and / or LDAP objects that define ACI are
>>replicated.
>>- If different access control schemes are used -- writeable server(s) use
>>same model to control updates, read only servers might allow anonymous
>>searches to all data -- LDUP could use this knowledge to not replicate the
>>same attributes and / or objects.
>>
>>The above does not require that we define a specific scheme, only that we
>>have a means to identify -- possibly select -- the access control model
>>used by various servers for a given area of the DIT, and that a server that
>>implements an access control model know how to behave with respect to
>>replication of access control information.
>>
>>
>>John McMeeking
>>jmcmeek@xxxxxxxxxx
>>
>>
>>
>>
>> Timothy
>> Hahn/Durham/IBM@I To: ietf-ldup@xxxxxxx
>> BMUS cc:
>> Sent by: owner- Subject: RE: LDAPv3 Replication Access Control Design Team Report
>> ietf-ldup@mail.
>> imc.org
>>
>>
>> 09/10/2002 08:04
>> AM
>>
>>
>>
>>
>>
>>
>>
>>Kurt,
>>
>>My opinions below.
>>
>>Regards,
>>Tim Hahn
>>
>>Internet: hahnt@xxxxxxxxxx
>>Internal: Timothy Hahn/Durham/IBM@IBMUS
>>phone: 919.224.1565 tie-line: 8/687.1565
>>fax: 919.224.2540
>>
>>
>>
>>
>> "Kurt D.
>>
>> Zeilenga" To: <capple@dsi-
>>consulting.net>
>> <Kurt@xxxxxxxxxxx cc: <ietf-ldup@imc.
>>org>
>> g> Subject: RE: LDAPv3
>>Replication Access Control Design Team Report
>> Sent by:
>>
>> owner-ietf-ldup@m
>>
>> ail.imc.org
>>
>>
>>
>> 09/10/2002 08:42
>>
>> AM
>>
>>
>>
>>
>>
>>
>>
>>Let's cut to the key question:
>>
>> Does LDAP replication REQUIRE a standard LDAP ACM?
>>
>>(REQUIRE here in the RFC 2119 sense).
>>TJH> I believe that LDAP replication MUST ensure that the security
>>TJH> (i.e. authorization to access - add/modify/search/delete)
>>TJH> is NOT compromised by the LDAP replication mechanism defined.
>>TJH>
>>TJH> Thus, I believe that LDAP replication REQUIRES that access
>>TJH> control issues be "attended to" (in the RFC 2119 sense).
>>TJH>
>>TJH> But I DO NOT feel that LDAP replication needs define a specific
>>TJH> Access Control Model (ACM). LDAP replication need only ensure
>>TJH> that SOME ACM can be applied across the servers involved in the
>>TJH> data replicated amongst them and that LDAP replication doesn't
>>TJH> "mess that up".
>>
>>If the consensus is yes, then we should determine how this
>>requirement is going to be fulfilled. (I note that the
>>proposed plan doesn't produce a standard LDAP ACM.)
>>
>>If the consensus is no, then we need not determine how an
>>LDAP ACM will or will not be produced. It simply can remain
>>out of scope.
>>
>>TJH> Unfortunately, I don't believe the answer is as "binary"
>>TJH> as this. LDAP replication REQUIRES that things be done
>>TJH> "securely" but it does NOT REQUIRE a specific ACM.
>>
>>I see little point is discussing the details of the plan
>>until we've actually agreed upon requirements...
>>
>>Kurt