Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [higgins-dev] LDAP Servers used with JNDI CP
Right...and one of the problem I found that automatic conversion from whatever the access control model that vendors had to a standard model was often impossible.  I know this because we tried to build automatic access control converters. Most were impossible.   This means that for existing deployments there can be no automatic upgrade.

BTW...I joined the OpenGroup DIF a little after that (Winston was chair) and they were still dealing with the aftermath.

XACML on the other hand, bringing forward fine-grained-authorization and greater privacy support may be important enough to make customers willing to bear the pain.  That said, even if the old access controls can't be converted, layering XACML on top as another layer wouldn't be bad either.

Phil Hunt
Oracle

On 30-Jan-08, at 4:25 PM, Jim Sermersheim wrote:

I'm one of the people who failed to standardize on an access control model for LDAP.  A number of us (Ellen Stokes, Ed Reed, Bob Blakely, Steven Legg, Kurt Z. etc.) worked on this for a span of about three years, and we never went anywhere but in circles.  The circles weren't even concentric, and I'm not sure they even quite met at the ends.  Steven Legg finally adapted the X.500 access control admin model to LDAP.  The problem is, like replication, everyone has already done it in their own standard way, and it's hard to make the old, hard-coded stuff work along side new standardized stuff.

Even if people felt like it was a good idea, I'm not sure how many vendors are willing to spent the $ to rev.  My feeling is that we *have* to implement authZ at the IdAS or higher layer because there will always be some CP's backing store that doesn't authZ the way we want.

Jim

>>> Phil Hunt <phil.hunt@xxxxxxxxxx> 01/30/08 3:32 PM >>>
Having proxied just about every LDAP server on the planet, support is 
very inconsistent indeed. Even if an LDAP server supports ProxyDN, 
it's application to access control may vary as well.  Part of the 
problem with LDAP is that access control itself was never standardized.

Somehow there needs to be a do-over on this one.  Maybe privacy is 
enough of an impetus to revise or replace ProxyDN and rejuvenate 
interest in it. My thought is we need a control to take on broader 
transaction metadata - only part of which could be application and 
subject credentials.

The second requirement is to propose XACML (or a profile of XACML 
like AAPML) be optionally supported in LDAP.  This is the policy 
engine that would consume the metadata mentioned above and brings 
some level of consistency of expectation for what happens from the 
perspective of policy.

Phil Hunt
Oracle


On 30-Jan-08, at 1:05 PM, Tom Doman wrote:

> All,
>
> Which LDAP Servers have you used behind the JNDI Context Provider?  
> Does it support RFC 4370, the proxy authorization control?
>
> Me:
>
> Novell eDirectory, no.
> Test LDAP Utility, no.
>
> Thanks,
> Tom
>
>
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
_______________________________________________
higgins-dev mailing list

Back to the top