Access Control

The DirX Directory access control mechanism is the basis for distinguishing whether certificates are stored publicly readable (“abrufbar”) or not (“nur nachprüfbar”).

Certificates are stored as attributes of directory entries. For each entry, the X.500 access control allows for defining WHO is allowed to perform WHAT kind of operation on WHICH data, where:

WHO is the authenticated entity that performed the bind operation; for example, the user with a specific DN or the anonymous user.
WHAT is the LDAP operation performed on the data; for example, a read or a modify operation.
WHICH data is the target of the operation, which is always an entry with an attribute set; for example, read entry with a specific DN with the attributes “Certificate” and “email”.

DirX Directory supports multiple ways to specify the access control:

Access control subentries holding Prescriptive-ACI attributes with access rules that apply for all entries in a particular subtree or a specific area of a particular subtree.
Access control subentries holding Prescriptive-ACI attributes with access rules that apply for all entries within a subtree that fulfill a particular ObjectClass filter condition (Specification Filter SF).
Entry-ACI attributes stored at each individual entry with access rules that apply for this particular entry only (EACI).

The following sections describe how to apply the second method (SF), because this option has the following advantages for a CSP:

An LDAP application - for example, the CSP frontend/portal application - can easily read and parse the objectClass value. These values are handled in LDAP as simple strings. The application can use an administrative account to bind to the directory and then operate on behalf of some “normal” user. The objectClass value specifies whether or not the normal user is allowed to access the certificate.
A simple modify operation (over LDAP) replacing an objectClass value is used to change the state of a certificate (for example, from “abrufbar” to “nur nachprüfbar“).It does not require moving the entry into another subtree or modifying the (rather complex) EACI.

Defining the objectClasses

The objectClass value serves two purposes:

It triggers the access control and thereby protects the certificate from unauthorized access.
It contains the status with respect to access control in an LDAP-readable format.

The best way to modify the schema is to load an LDIF change file with the dirxload command.The following excerpt of an LDIF change file creates the schema extension with the two auxiliary objectClass values OcPublic and OcRestricted for use within the access control on certificate attributes.They specify whether "normal" users can read ("abrufbar") (objectClass OcPublic) or just compare ("nur nachprüfbar") (objectClass OcRestricted) certificates:

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (1.3.12.2.1107.1.3.6.201 NAME 'OcPublic' DESC 'This object class marks certificates as abrufbar' SUP top AUXILIARY)
objectClasses: (1.3.12.2.1107.1.3.6.202 NAME 'OcRestricted' DESC 'This object class marks certificates as nur nachpruefbar' SUP top AUXILIARY)

Creating Access Control Subentries

To separate certificates into publicly-readable and comparison-only categories, access control subentries must be added to the root entry of the subtree to apply these rules.Then the auxiliary objectClass OcPublic or OcRestricted of each entry in this subtree determines access to the certificate attributes.Access control subentries are added with the dirxcp command over DAP.In the following example, two access control subentries are added to the subtree root entry o=my-company:

cn=AC-restricted
This subentry specifies that
Only the certificate administrator /O=My-Company/OU=admins/CN=cert-adm can modify the certificate value and status.
“Normal” users can only compare (“nur nachprüfbar”) certificates of entries with the auxiliary objectClass OcRestricted.
cn=AC-public
This subentry specifies that
Only the certificate administrator /O=My-Company/OU=admins/CN=cert-adm can modify the certificate value and status.
“Normal” users can read (“abrufbar”) certificates of entries with the auxiliary objectClass OcPublic.

create "O=My-Company/CN=AC-restricted" -attr \
    {OCL=SUBE;ACS} \
    {SS={BAS={/},SF={ITEM=OcRestricted}}} \
    {PACI={ID=certAdmin - enable Cert Modification and Read,
       PR=255,
       AL={BL={L=STRONG}},
       UF={UC={N={DN={/O=My-Company/OU=Admins/CN=certAdmin}}},
         UP={PI={E=TRUE},
GAD=grantDiscloseOnError+grantRead+grantBrowse+grantReturnDN+grantExport+grantImport+grantModify};
           {PI={AUATV=TRUE},
           GAD=grantRead+grantCompare+grantFilterMatch+grantAdd+grantModify+grantRemove};
           }
       };
       {ID=Public Access: enable Cert compare - disable Cert Read,
       PR=0,
       AL={BL={L=NONE}},
       UF={UC={AU=TRUE},
         UP={PI={E=TRUE},
           GAD=grantDiscloseOnError+grantRead+grantBrowse +grantReturnDN};
           {PI={AUATV=TRUE},
           GAD=grantRead+grantCompare+grantFilterMatch};
           {PR=53,
           PI={AT=UC;CRL;ARL;DRL},
           GAD=denyRead+grantCompare+grantFilterMatch}
         }
       }
    }

create "O=My-Company/CN=AC-public" -attr \
    {OCL=SUBE;ACS} \
    {SS={BAS={/},SF={ITEM=OcPublic}}} \
    {PACI={ID=certAdmin - enable Cert Modification and Read,
       PR=255,
       AL={BL={L=STRONG}},
       UF={UC={N={DN={/O=My-Company/OU=Admins/CN=certAdmin}}},
         UP={PI={E=TRUE},
GAD=grantDiscloseOnError+grantRead+grantBrowse+grantReturnDN+grantExport+grantImport+grantModify};
           {PI={AUATV=TRUE},
           GAD=grantRead+grantCompare+grantFilterMatch+grantAdd+grantModify+grantRemove};
           }
       };
       {ID=Public Access: enable Cert Read,
       PR=0,
       AL={BL={L=NONE}},
       UF={UC={AU=TRUE},
         UP={PI={E=TRUE},
           GAD=grantDiscloseOnError+grantRead+grantBrowse +grantReturnDN};
           {PI={AUATV=TRUE},
           GAD=grantRead+grantCompare+grantFilterMatch};
           {PR=53,
           PI={AT=UC;CRL;ARL;DRL},
           GAD=grantRead+grantCompare+grantFilterMatch}
         }
       }
    }

Both access control subentries have two PACI attributes:

One that applies to the certificate administrator CN=certAdmin,OU=Admins,O=My-Company.When performing a bind operation using STRONG authentication, this user can read and modify certificates and modify the objectClass values.
One that applies to the rest of the world.These “normal” users can read certificates of entries with the auxiliary objectClass OcPublic and compare certificates of entries with the auxiliary objectClass OcRestricted.

According to the X.500 specifications, access is denied by default if there is no explicit grant.As a result, there must be a general access control subentry that rules the access control on the entire subtree without depending on objectClasses.This subentry typically includes access rights for administrators.

Changing Certificate Access Status

The certificate of an entry is made publicly readable by adding the auxiliary objectclass value OcPublic.The following dirxcp command is an example of how to change the access state using LDAP:

dirxcp> modify CN=user1,OU=Users,O=My-Company \
                    -add objectClass=OcPublic

After performing this command, the userCertificate attribute of entry cn=user1 is publicly readable.

The command to change the state of an entries certificate from “abrufbar” to “nur nachprüfbar” looks like the following example:

dirxcp> modify CN=user1,OU=Users,O=My-Company      \
                    -rem objectClass=OcPublic      \
                    -add objectClass=OcRestricted

After performing this command, the userCertificate attribute of entry CN=user1 can no longer be read by users other than CN=certAdmin.

The commands only execute successfully after the user CN=certAdmin,OU=Admins,O=My-Company has performed the bind operation using STRONG authentication; that is, a bind operation over LDAP with the options
-sasl and -mechanism EXTERNAL.