RFC 2820 (rfc2820) - Page 2 of 9
Access Control Requirements for LDAP
Alternative Format: Original Text Document
RFC 2820 Access Control Requirements for LDAP May 2000
2. Objectives
The major objective is to provide a simple, but secure, highly
efficient access control model for LDAP while also providing the
appropriate flexibility to meet the needs of both the Internet and
enterprise environments and policies.
This generally leads to several general requirements that are
discussed below.
3. Requirements
This section is divided into several areas of requirements: general,
semantics/policy, usability, and nested groups (an unresolved issue).
The requirements are not in any priority order. Examples and
explanatory text is provided where deemed necessary. Usability is
perhaps the one set of requirements that is generally overlooked, but
must be addressed to provide a secure system. Usability is a security
issue, not just a nice design goal and requirement. If it is
impossible to set and manage a policy for a secure situation that a
human can understand, then what was set up will probably be non-
secure. We all need to think of usability as a functional security
requirement.
3.1 General
G1. Model SHOULD be general enough to support extensibility to add
desirable features in the future.
G2. When in doubt, safer is better, especially when establishing
defaults.
G3. ACL administration SHOULD be part of the LDAP protocol. Access
control information MUST be an LDAP attribute.
G4. Object reuse protection SHOULD be provided and MUST NOT inhibit
implementation of object reuse. The directory SHOULD support policy
controlling the re-creation of deleted DNs, particularly in cases
where they are re-created for the purpose of assigning them to a
subject other than the owner of the deleted DN.
3.2 Semantics / Policy
S1. Omitted as redundant; see U8.
S2. More specific policies must override less specific ones (e.g.
individual user entry in ACL SHOULD take precedence over group entry)
for the evaluation of an ACL.
Stokes, et al. Informational
