Author: buildbot Date: Wed Dec 19 04:46:47 2012 New Revision: 843049 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5-authorization.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.1-introduction.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.2-definitions.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/advanced-ug/3-admin-model.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Wed Dec 19 04:46:47 2012 @@ -1 +1 @@ -1423751 +1423760 Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/3-admin-model.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/3-admin-model.html (original) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/3-admin-model.html Wed Dec 19 04:46:47 2012 @@ -119,7 +119,7 @@
- 4 - + 4 - Authentication and Authorization
@@ -190,7 +190,7 @@
- 4 - + 4 - Authentication and Authorization
Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,164 @@ + + + + + 4 - Authentication & Authorization — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 3 Administrative Model + +
+
+ + Advanced User Guide + +
+
+ +   + +
+
+
+ + +

4 - Authentication and Authorization

+

Chapter content

+ + + +
+
+ + 3 Administrative Model + +
+
+ + Advanced User Guide + +
+
+ +   + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5-authorization.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5-authorization.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5-authorization.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,212 @@ + + + + + 4.5. Authorization — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 3 - Administrative Model + +
+
+ + 3 - Administrative Model + +
+
+ + 3.2 Operations on an a Administrative Point + +
+
+
+ + +

{scrollbar}

+

ApacheDS uses an adaptation of the X.500 basic access control scheme in +combination with X.500 subentries to control access to entries and +attributes within the DIT. This document will show you how to enable the +basic access control mechanism and how to define access control information +to manage access to protected resources.

+

Chapter content

+ +

Some Simple Examples

+

The ACIItem syntax is very expressive and that makes it extremely powerful +for specifying complex access control policies. However the syntax is not +very easy to grasp for beginners. For this reason we start with simple +examples that focus on different protection mechanisms offered by the +ACIItem syntax. We do this instead of specifying the grammar which is not +the best way to learn a language.

+

{warning:title=Before you go any further...} +Please don't go any further until you have read up on the use of +Subentries. Knowledge of subentries, subtreeSpecifications, administrative +areas, and administrative roles are required to properly digest the +following material. +{warning}

+

Before going on to these trails you might want to set up an Administrative +Area for managing access control via prescriptiveACI. Both subentryACI and +prescriptiveACI require the presence of an Administrative Point entry. For +more information and code examples see ACAreas +.

+

ACI Trails

+

Here are some trails that resemble simple HOWTO guides. They're ordered +with the most pragmatic usage first. We will add to these trails over +time.

+ + + + + + + + + +
+
+ + 3 - Administrative Model + +
+
+ + 3 - Administrative Model + +
+
+ + 3.2 Operations on an a Administrative Point + +
+
+
+ + + +
+ + + + + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.1-introduction.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.1-introduction.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.1-introduction.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,180 @@ + + + + + 4.5.1 Introduction — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.2 Definitions + +
+
+
+ + +

First of all, one has to understand that Authorization in this context +involves four components. The principle is :

+

{panel} grants Users authorization to proceed some Action on a set of +Items in a defined Area{panel}

+

Let's define the four components.

+

Users : +bq. the set of entity being able to do some action. It can be every user, +the entry owner, a list of users, members of a group or a selection in the +DIT. Basically, a user is defined as an entry in the DIT.

+

Action : +bq. Generally speaking, a grant or denial to do something, depending on the +selected item (read, delete, etc).

+

Items : +bq. An item is an element of the DIT. It can be an Entry, an +AttributeType, some AttributeValues. It can also define some constraints +that will apply on the selected entries.

+

Area : +bq.It defines the set of entries on which the defined ACI applies. It can +be the whole DIT, a part of the DIT, a selection of entries, an Entry.

+

We implement those elements using ACIs.

+

The following chapters will present you the system inside out.

+ + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.2 Definitions + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,373 @@ + + + + + 4.5.10 ACI grammar — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + + +

{scrollbar}

+

The ACI attributes store data following a specific structure, which is +define by this grammar :

+

{newcode:title=ACI grammar|linenumbers=true|lang=xml} + ::= '{' + '}' EOF

+

::= ',' + | e

+

** Note : we have to allow only one of each option + ::= + "identificationTag" SAFEUTF8STRING + | "precedence" INTEGER + | "authenticationLevel" + | "itemOrUserFirst"

+

::= "none" | "simple" | "strong"

+

::= + "itemFirst" ':' '{' +'}' + | + "userFirst" ':' '{' +'}'

+

::= + "protectedItems" '{' '}' + ',' '{' + '}' + | + "itemPermissions" '{' '}' + ',' "protectedItems" '{' + '}'

+

::= + "userClasses" '{' '}' ',' + '{' + '}' + | + "userPermissions" '{' '}' + ',' + "userClasses" '{' + '}'

+ ::= | e + + ::= ',' | e + + ::= + "entry" + | "allUserAttributeTypes" + | "attributeType" '{' '}' + | "allAttributeValues" '{' '}' + | "allUserAttributeTypesAndValues" + | ATTRIBUTE_VALUE_CANDIDATE + | "selfValue" '{' '}' + | RANGE_OF_VALUES_CANDIDATE + | "maxValueCount" '{' '{' '}' + '}' + | "maxImmSub" INTEGER + | "restrictedBy" '{' '{' '}' + '}' + | "classes" + + ::= ',' '{' '}' + | e + + ::= + "type" ',' "maxCount" +INTEGER + | + "maxCount" INTEGER ',' "type" + + + ::= ',' '{' '}' + | e + + ::= + "type" ',' "valuesIn" + | + "valuesIn" ',' "type" + + ::= ',' | e + + ::= '{' + '}' | e + + ::= + ',' '{' + '}' | e + + ::= ',' + | e + + : + "precedence" + | "userClasses" '{' '}' + | "grantsAndDenials" '{' '}' + + ::= | e + + ::= ',' + + : + "grantAdd" + | "denyAdd" + | "grantDiscloseOnError" + | "denyDiscloseOnError" + | "grantRead" + | "denyRead" + | "grantRemove" + | "denyRemove" + | "grantBrowse" + | "denyBrowse" + | "grantExport" + | "denyExport" + | "grantImport" + | "denyImport" + | "grantModify" + | "denyModify" + | "grantRename" + | "denyRename" + | "grantReturnDN" + | "denyReturnDN" + | "grantCompare" + | "denyCompare" + | "grantFilterMatch" + | "denyFilterMatch" + | "grantInvoke" + | "denyInvoke" + + ::= | e + + ::= ',' | e + + : + "allUsers" + | "thisEntry" + | "parentOfEntry" + | "name" '{' '}' + | "userGroup" '{' +'}' + | "subtree" '{' '{' +'}' '}' + + ::= ',' | e + + ::= ',' | e + + ::= ',' '{' '}' + | e + + ::= '{' + '}' | e + + ::= + ',' '{' + '}' | e + + ::= ',' + | e + + : + "precedence" + | "protectedItems" '{' '}' + | "grantsAndDenials" '{' '}' + + ::= + | e + ::= ',' + | e + + : + "base" + | "specificExclusions" '{' '}' + | "minimum" INTEGER + | "maximum" INTEGER + + ::= | e + + ::= ',' + | e + + ::= + "chopBefore" ':' + | + "chopAfter" ':' + + ::= + "item" ':' + | + "and" ':' '{' '}' + | + "or" ':' '{' '}' + | + "not" ':' '{' '}' + + ::= | e + + ::= ',' | e + + ::= SAFEUTF8STRING + + ::= DESCR | NUMERICOID + +SAFEUTF8CHAR : + '\u0001'..'\u0021' | + '\u0023'..'\u007F' | + '\u00c0'..'\u00d6' | + '\u00d8'..'\u00f6' | + '\u00f8'..'\u00ff' | + '\u0100'..'\u1fff' | + '\u3040'..'\u318f' | + '\u3300'..'\u337f' | + '\u3400'..'\u3d2d' | + '\u4e00'..'\u9fff' | + '\uf900'..'\ufaff' ; + + ::= + ::= | e + ::= ' ' | '\t' | '\n' | '\r' ; + +ALPHA : 'A'..'Z' | 'a'..'z' ; + + ::= | + ::= '0' | ; + ::= '1'..'9' ; + ::= | e + +HYPHEN : '-' ; + +NUMERICOID : INTEGER ( DOT INTEGER )+ ; + +DOT : '.' ; + +INTEGER_OR_NUMERICOID + : + ( INTEGER DOT ) => NUMERICOID + | + INTEGER + +SAFEUTF8STRING : '"'! ( SAFEUTF8CHAR )* '"'! ; + +DESCR + : + ( "attributeValue" ( SP! )+ '{' ) => + "attributeValue"! ( SP! )+ '{'! ( options : . )* '}'! + | ( "rangeOfValues" ( SP! )+ '(' ) => + "rangeOfValues"! ( SP! )+ FILTER + | ALPHA ( ALPHA | DIGIT | HYPHEN )* + ; + +FILTER : '(' ( ( '&' (SP)* (FILTER)+ ) | ( '|' (SP)* (FILTER)+ ) | ( '!' +(SP)* FILTER ) | FILTER_VALUE ) ')' (SP)* ; + +FILTER_VALUE : (options: ~( ')' | '(' | '&' | '|' | '!' ) ( ~(')') )* ) ; + +{newcode} + + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,129 @@ + + + + + 4.5.11 Links and references — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + + +

{scrollbar}

+

The Apache Directory Server authorization system is based on the X.500 +specifications. Those documents are available on X.500 freely available specifications +, and more specifically [X.501|http://www.itu.int/rec/T-REC-X.501-200811-I!Cor2/dologin.asp?lang=e&id=T-REC-X.501-200811-I!Cor2!PDF-E&type=items] +.

+

Some more 'user friendly' documentation about Access Control can be found +in Chadwick's book, available at X.500 book +, chapter 8.

+ + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.2-definitions.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.2-definitions.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.2-definitions.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,175 @@ + + + + + 4.5.2 Definitions — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5.1 - Introduction + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.3 Enabling Access Control + +
+
+
+ + +

ACI : +bq. Access Control Information. The set of all the information which might +be relevant to an access control decision for a given subject.

+

ACDF : +bq. Access Control Decision Function. It is the function used to decide +whether a particular subject has a particular access right by virtue of +applicable ACI items.

+

protected item : +bq. A protected item is the element of directory information being +accessed. The protected items are entries, attributes, attribute values +and distinguished names. Access to each protected item can be separately +controlled through ACI.

+

subject : +bq. The entity acting on the server. It can be a person, a program, ... It +aggregates the identity and the security related attributes (passwords, +ceritifcates...) for this entity.

+ + +
+
+ + 4.5.1 - Introduction + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.3 Enabling Access Control + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,161 @@ + + + + + 4.5.3 Enabling Access Control — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5.2 - Definitions + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.4 Aci Types + +
+
+
+ + +

Title: 4.5.3 Enabling Access Control +{scrollbar}

+ + +
+
+ + 4.5.2 - Definitions + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.4 Aci Types + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,168 @@ + + + + + 4.5.4 ACI types — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5.3 - Enabling Access Control + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.5 Aci Elements + +
+
+
+ + +

Three different types of ACI exist. All types use the same specification +syntax for an ACIITem. These types differ in their placement and manner of +use within the directory.

+

Chapter content

+ + + +
+
+ + 4.5.3 - Enabling Access Control + +
+
+ + 4.5 - Authorization + +
+
+ + 4.5.5 Aci Elements + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,171 @@ + + + + + 4.5.4.1 EntryACI — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4.2 Prescriptive Aci + +
+
+
+ + +

Entry ACI are access controls added to entries to protect that entry +specifically. Meaning the protected entry is the entry where the ACI +resides. When performing an operation on an entry, ApacheDS checks for the +presence of the multivalued operational attribute, entryACI. The values +of the entryACI attribute contain ACIItems.

+

{note}

+

There is one exception to the rule of consulting entryACI attributes within +ApacheDS: add operations do not consult the entryACI within the entry being +added. This is a security precaution. (??? Check this sentence) If allowed +users can arbitrarily add entries where they wanted by putting entryACI +into the new entry being added. This could compromise the DSA. +{note}

+ + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4.2 Prescriptive Aci + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.html Wed Dec 19 04:46:47 2012 @@ -0,0 +1,190 @@ + + + + + 4.5.4.2 PrescriptiveACI — Apache Directory + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.5.4.1 - Entry Aci + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4.3 Subentry Aci + +
+
+
+ + +

Prescriptive ACI are access controls that are applied to a collection of +entries, not just to a single entry. Collections of entries are defined by +the subtreeSpecifications of subentries. Hence prescriptive ACI are added +to subentries as attributes and are applied by ApacheDS to the entries +selected by the subentry's subtreeSpecification. ApacheDS uses the +prescriptiveACI multivalued operational attribute within subentries to +contain ACIItems that apply to the entry collection.

+

Prescriptive ACI can save much effort when trying to control access to a +collection of resources. Prescriptive ACI can even be specified to apply +access controls to entries that do not yet exist within the DIT. They are a +very powerful mechanism and for this reason they are the preferred +mechanism for managing access to protected resources. ApacheDS is optimized +specifically for managing access to collections of entries rather than +point entries themselves.

+

Users should try to avoid entry ACIs whenever possible, and use +prescriptive ACIs instead. Entry ACIs are more for managing exceptional +cases and should not be used excessively.

+

{info:title=How it works!} +For every type of LDAP operation, ApacheDS checks to see if any access +control subentries include the protected entry in their collection. The set +of subentries which include the protected entry are discovered very rapidly +by the subentry subsystem. The subentry subsystem caches +subtreeSpecifications for all subentries within the server so inclusion +checks are fast.

+

For each access control subentry in the set, ApacheDS checks within a +prescriptive ACI cache for ACI tuples. ApacheDS also caches prescriptive +ACI information in a special form called ACI tuples. This is done so +ACIItem parsing and conversion to an optimal representations for evaluation +is not required at access time. This way access based on prescriptive ACIs +is determined very rapidly. +{info}

+ + +
+
+ + 4.5.4.1 - Entry Aci + +
+
+ + 4.5.4 - Aci Types + +
+
+ + 4.5.4.3 Subentry Aci + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file
TrailDescription
[EnableSearchForAllUsers](enablesearchforallusers.html) +Enabling access to browse and read all entries and their attributes by +authenticated users.
DenySubentryAccess (TBW) Protecting access to subentries themselves.
[AllowSelfPasswordModify](allowselfpasswordmodify.html) +Granting users the rights needed to change their own passwords.
GrantAddDelModToGroup (TBW)Granting add, delete, and modify permissions +to a group of users.
GrantModToEntry (TBW)Applying ACI to a single entry.