Access Control Requirements for LDAP
RFC 2820

Document Type RFC - Informational (May 2000; Errata)
Authors Debbie Byrne  , Ellen Stokes  , Prasanta Behera  , Bob Blakley 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2820 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                      E. Stokes
Request for Comments: 2820                                  D. Byrne
Category: Informational                                          IBM
                                                          B. Blakley
                                                           P. Behera
                                                            May 2000

                  Access Control Requirements for LDAP

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document describes the fundamental requirements of an access
   control list (ACL) model for the Lightweight Directory Application
   Protocol (LDAP) directory service.  It is intended to be a gathering
   place for access control requirements needed to provide authorized
   access to and interoperability between directories.

   The keywords "MUST", "SHOULD", and "MAY" used in this document are to
   be interpreted as described in [bradner97].

1.  Introduction

   The ability to securely access (replicate and distribute) directory
   information throughout the network is necessary for successful
   deployment.  LDAP's acceptance as an access protocol for directory
   information is driving the need to provide an access control model
   definition for LDAP directory content among servers within an
   enterprise and the Internet.  Currently LDAP does not define an
   access control model, but is needed to ensure consistent secure
   access across heterogeneous LDAP implementations.  The requirements
   for access control are critical to the successful deployment and
   acceptance of LDAP in the market place.

   The RFC 2119 terminology is used in this document.

Stokes, et al.               Informational                      [Page 1]
RFC 2820          Access Control Requirements for LDAP          May 2000

2.  Objectives

   The major objective is to provide a simple, but secure, highly
   efficient access control model for LDAP while also providing the
   appropriate flexibility to meet the needs of both the Internet and
   enterprise environments and policies.

   This generally leads to several general requirements that are
   discussed below.

3.  Requirements

   This section is divided into several areas of requirements: general,
   semantics/policy, usability, and nested groups (an unresolved issue).
   The requirements are not in any priority order.  Examples and
   explanatory text is provided where deemed necessary.  Usability is
   perhaps the one set of requirements that is generally overlooked, but
   must be addressed to provide a secure system. Usability is a security
   issue, not just a nice design goal and requirement. If it is
   impossible to set and manage a policy for a secure situation that a
   human can understand, then what was set up will probably be non-
   secure. We all need to think of usability as a functional security

3.1  General

   G1.  Model SHOULD be general enough to support extensibility to add
   desirable features in the future.

   G2.  When in doubt, safer is better, especially when establishing

   G3.  ACL administration SHOULD be part of the LDAP protocol.  Access
   control information MUST be an LDAP attribute.

   G4.  Object reuse protection SHOULD be provided and MUST NOT inhibit
   implementation of object reuse. The directory SHOULD support policy
   controlling the re-creation of deleted DNs, particularly in cases
   where they are re-created for the purpose of assigning them to a
   subject other than the owner of the deleted DN.

3.2  Semantics / Policy

   S1.  Omitted as redundant; see U8.

   S2.  More specific policies must override less specific ones (e.g.
   individual user entry in ACL SHOULD take precedence over group entry)
   for the evaluation of an ACL.

Stokes, et al.               Informational                      [Page 2]
RFC 2820          Access Control Requirements for LDAP          May 2000

   S3.  Multiple policies of equal specificity SHOULD be combined in
   some easily-understood way (e.g. union or intersection).  This is
   best understood by example.  Suppose user A belongs to 3 groups and
   those 3 groups are listed on the ACL. Also suppose that the
   permissions for each of those groups are not identical. Each group is
   of equal specificity (e.g. each group is listed on the ACL) and the
   policy for granting user A access (given the example) SHOULD be
   combined in some easily understood way, such as by intersection or
   union.  For example, an intersection policy here may yield a more
   limited access for user A than a union policy.
Show full document text