directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache Directory Server v1.5 > 2.5. Authorization
Date Fri, 18 Jun 2010 16:50:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=DIRxSRVx11&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">2.5.
    <h4>Page <b>edited</b> by             <a href="">Emmanuel
                         <h4>Changes (1)</h4>
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>{warning:title=Before you
go any further...} <br></td></tr>
            <tr><td class="diff-changed-lines" >Please don&#39;t go any further
until you have read up on the use of <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">[Subentries].</span>
<span class="diff-added-words"style="background-color: #dfd;">Subentries.</span>
Knowledge of subentries, subtreeSpecifications, administrative areas, and administrative roles
are required to properly digest the following matterial. <br></td></tr>
            <tr><td class="diff-unchanged" >{warning} <br> <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <style type='text/css'>/*<![CDATA[*/
table.ScrollbarTable  {border: none;padding: 3px;width: 100%;padding: 3px;margin: 0px;background-color:
table.ScrollbarTable td.ScrollbarPrevIcon {text-align: center;width: 16px;border: none;}
table.ScrollbarTable td.ScrollbarPrevName {text-align: left;border: none;}
table.ScrollbarTable td.ScrollbarParent {text-align: center;border: none;}
table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;}
table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;}

/*]]>*/</style><div class="Scrollbar"><table class='ScrollbarTable'><tr><td
class='ScrollbarPrevIcon'><a href="/confluence/display/DIRxSRVx11/2.4.+Writing+a+custom+authenticator"><img
border='0' align='middle' src='/confluence/images/icons/back_16.gif' width='16' height='16'></a></td><td
width='33%' class='ScrollbarPrevName'><a href="/confluence/display/DIRxSRVx11/2.4.+Writing+a+custom+authenticator">2.4.
Writing a custom authenticator</a>&nbsp;</td><td width='33%' class='ScrollbarParent'><sup><a
href="/confluence/pages/viewpage.action?pageId=102458"><img border='0' align='middle'
src='/confluence/images/icons/up_16.gif' width='8' height='8'></a></sup><a
href="/confluence/pages/viewpage.action?pageId=102458">2. Authentication & Authorization</a></td><td
width='33%' class='ScrollbarNextName'>&nbsp;</td></tr></table></div>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16"
align="absmiddle" alt="" border="0"></td><td><b>Work in progress</b><br
/>This site is in the process of being reviewed and updated.</td></tr></table></div>

<p>ApacheDS uses an adaptation of the X.500 basic access control scheme in combination
with X.500 subentries to control access to entries and attributes within the DIT. This document
will show you how to enable the basic access control mechanism and how to define access control
information to manage access to protected resources.</p>

<h2><a name="2.5.Authorization-EnablingBasicAccessControls"></a>Enabling
Basic Access Controls</h2>

<p>By default the access control subsystem is turned off. Once enabled everything is
tightly locked down. Only the special admin user, '<b>uid=admin,ou=system</b>',
is not affected by permissions. Access to all operations are denied by default until enabled
using an ACIItem. For this reason enabling basic access controls is a configuration option.

<p>To turn on the basic access control mechanism you need to set the <b>accessControlEnabled</b>
property in the configuration to true. This can be set programatically on the StartupConfiguration
or via the server.xml.</p>

<h2><a name="2.5.Authorization-TypesofACI%28AccessControlInformation%29"></a>Types
of ACI (Access Control Information)</h2>

<p>Three different types of ACI exist. All types use the same specification syntax for
an ACIITem. These types differ in their placement and manner of use within the directory.</p>

<h3><a name="2.5.Authorization-EntryACI"></a>Entry ACI </h3>

<p>Entry ACI are access controls added to entries to protect that entry specifically.
Meaning the protoected entry is the entry where the ACI resides. When performing an operation
on an entry, ApacheDS checks for the presence of the multivalued operational attribute, <b>entryACI</b>.
The values of the entryACI attribute contain ACIItems.</p>

<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/warning.gif" width="16" height="16"
align="absmiddle" alt="" border="0"></td><td>There is one exception to the
rule of consulting entryACI attributes within ApacheDS: add operations do not consult the
entryACI within the entry being added. This is a security precaution. If allowed users can
arbitrarily add entries where they wanted by putting entryACI into the new entry being added.
This could comprimise the DSA.</td></tr></table></div>

<h3><a name="2.5.Authorization-PrescriptiveACI"></a>Prescriptive ACI</h3>

<p>Prescriptive ACI are access controls that are applied to a collection of entries,
not just to a single entry. Collections of entries are defined by the subtreeSpecifications
of subentries. Hence prescriptive ACI are added to subentries as attributes and are applied
by ApacheDS to the entries selected by the subentry's subtreeSpecification. ApacheDS uses
the <b>prescriptiveACI</b> multivalued operational attribute within subentries
to contain ACIItems that apply to the entry collection.</p>

<p>Prescriptive ACI can save much effort when trying to control access to a collection
of resources. Prescriptive ACI can even be specified to apply access controls to entries that
do not yet exist within the DIT. They are a very powerful mechanism and for this reason they
are the prefered mechanism for managing access to protected resources. ApacheDS is optimized
specifically for managing access to collections of entries rather than point entries themselves.</p>

<p>Users should try to avoid entry ACIs whenever possible, and use prescriptive ACIs
instead. Entry ACIs are more for managing exceptional cases and should not be used excessively.</p>

<div class='panelMacro'><table class='infoMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/information.gif" width="16"
height="16" align="absmiddle" alt="" border="0"></td><td><b>How it works!</b><br
/>For every type of LDAP operation ApacheDS checks to see if any access control subentries
include the protected entry in their collection. The set of subentries which include the protected
entry are discovered very rapidly by the subentry subsystem. The subentry subsystem caches
subtreeSpecifications for all subentries within the server so inclusion checks are fast. 

<p>For each access control subentry in the set, ApacheDS checks within a prescriptive
ACI cache for ACI tuples. ApacheDS also caches prescriptive ACI information in a special form
called ACI tuples. This is done so ACIItem parsing and conversion to an optimal representations
for evaluation is not required at access time. This way access based on prescriptive ACIs
is determined very rapidly.</p></td></tr></table></div>

<h3><a name="2.5.Authorization-SubentryACI"></a>Subentry ACI</h3>

<p>Access to subentries also needs to be controlled. Subentries are special in ApacheDS.
Although they subordinate to an administrative entry (entry of an Administrative Point), they
are technically considered to be in the same context as their administrative entry. ApacheDS
considers the perscriptive ACI applied to the administrative entry, to also apply to its subentries.

<p>This however is not the most intuitive mechanism to use for explicitly controlling
access to subentries. A more explicit mechanism is used to specify ACIs specifically for protecting
subentries. ApacheDS uses the multivalued operational attribute, <b>subentryACI</b>,
within administrative entries to control access to immediately subordinate subentries.</p>

<p>Protection policies for ACIs themselves can be managed within the entry of an administrative

<h2><a name="2.5.Authorization-SomeSimpleExamples"></a>Some Simple Examples</h2>

<p>The ACIItem syntax is very expressive and that makes it extremely powerful for specifying
complex access control policies. However the syntax is not very easy to grasp for beginners.
For this reason we start with simple examples that focus on different protection mechanisms
offered by the ACIItem syntax. We do this instead of specifying the grammar which is not the
best way to learn a language.</p>

<div class='panelMacro'><table class='warningMacro'><colgroup><col width='24'><col></colgroup><tr><td
valign='top'><img src="/confluence/images/icons/emoticons/forbidden.gif" width="16"
height="16" align="absmiddle" alt="" border="0"></td><td><b>Before you
go any further...</b><br />Please don't go any further until you have read up
on the use of Subentries. Knowledge of subentries, subtreeSpecifications, administrative areas,
and administrative roles are required to properly digest the following matterial.</td></tr></table></div>

<p>Before going on to these trails you might want to set up an Administrative Area for
managing access control via prescriptiveACI.  Both subentryACI and prescriptiveACI require
the presence of an Administrative Point entry.  For more information and code examples see
<a href="/confluence/display/DIRxSRVx11/ACAreas" title="ACAreas">ACAreas</a>.

<h3><a name="2.5.Authorization-ACITrails"></a>ACI Trails</h3>

<p>Here are some trails that resemble simple HOWTO guides.  They're ordered with the
most pragmatic usage first.  We will add to these trails over time.</p>

<div class='table-wrap'>
<table class='confluenceTable'><tbody>
<th class='confluenceTh'>Trail</th>
<th class='confluenceTh'>Description</th>
<td class='confluenceTd'><a href="/confluence/display/DIRxSRVx11/EnableSearchForAllUsers"
<td class='confluenceTd'>Enabling access to browse and read all entries and their attributes
by authenticated users.</td>
<td class='confluenceTd'>DenySubentryAccess (TBW) </td>
<td class='confluenceTd'> Protecting access to subentries themselves.</td>
<td class='confluenceTd'><a href="/confluence/display/DIRxSRVx11/AllowSelfPasswordModify"
<td class='confluenceTd'>Granting users the rights needed to change their own passwords.</td>
<td class='confluenceTd'>GrantAddDelModToGroup (TBW)</td>
<td class='confluenceTd'>Granting add, delete, and modify permissions to a group of
<td class='confluenceTd'>GrantModToEntry (TBW)</td>
<td class='confluenceTd'>Applying ACI to a single entry.</td>

        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
        <a href="">View
        <a href="">View

View raw message