LDAP and RBAC

At the user level, Orbit security involves making sure that each person using Orbit is allowed to do so at that time, and when he or she uses Orbit that he or she only uses those parts of it that he or she is allowed to use. That is, there are two parts to Orbit security: authenticating users and controlling their access to Orbit resources.

The Lightweight Directory Access Protocol (LDAP) is used by Orbit to authenticate each user's password when he or she logs into an Orbit controller or server. LDAP authentication and the proper use of Orbit user id's and passwords allows each user id to be related to a single human user. A single person may have one or more Orbit user id's. Each Orbit user id may be logged into one or more sessions, and during each session there may be multiple computer processes initiated by the user. A process is an instance of a user running an application program like a spreadsheet, editor or browser.

Role-Based Access Control (RBAC) will be used by Orbit to control each user's access to Orbit resources based on his or her role. To explain this use of roles, first some terminology. When a user runs an application program that process acts on behalf of the user and is referred to as a subject. An object is any resource accessible on a computer system, including peripherals, files, databases, and fields in a database. An operation is an active part of a process invoked by the subject process much like a function call or a method invocation. In general, a permission or privilege is the authorization to perform some action on the system. In RBAC, a permission is the authorization to perform a given operation on a given object. The use of roles to control access is based on the observation that there may be thousands of users in a given organization, but there are perhaps only a hundred different roles they act in at any given time to access resources. Users are assigned to one or more roles. Each role has a defined set of permissions, each for an operation invoked by a process run by a user acting in that role to access a given object.

As with any access control mechanism, role-based access control will have some performance penalties. Role-based access control should provide sufficiently flexible control with acceptable performance for reasonable administrative cost. In ORBIT, role-based access control will be implemented using mechanisms provided by LDAP. It is expected that this implementation will have acceptable performance while providing the desired security.

Test overstrikes Fr\'ed\'eric

to_unicode('\x00 \x30")

In SACMAT '06: Proceedings of the eleventh ACM symposium on Access control models and technologies, pages 139—149, New York, NY, USA,

LDAP Version 2 documents

RFC1777 Lightweight Directory Access Protocol ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1777.txt.pdf RFC1777

RFC1778 The String Representation of Standard Attribute Syntaxes ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1778.txt.pdf RFC1778

RFC1779 A String Representation of Distinguished Names ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1779.txt.pdf RFC1779

RFC1959 An LDAP URL format ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1959.txt.pdf RFC1959

RFC1960 A String Representation of LDAP Search Filters ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1960.txt.pdf RFC1960

RFC1823 The LDAP Application Program Interface (C language API) ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1823.txt.pdf RFC1823

RFC 2596 Use of Language Codes in LDAP ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2596.txt.pdf RFC2596

LDAP Version 3 Documents

RFC4510 LDAP: Technical Specification Road Map ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4510.txt.pdf RFC4510

RFC4511 LDAP: The Protocol ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4511.txt.pdf RFC4511

RFC4512 LDAP: Directory Information Models ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4512.txt.pdf RFC4512

RFC4513 LDAP: Authentication Methods and Security Mechanisms ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4513.txt.pdf RFC4513

RFC4514 LDAP: String Representation of Distinguished Names ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4514.txt.pdf RFC4514

RFC4515 LDAP: String Representation of Search Filters ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4515.txt.pdf RFC4515

RFC4516 LDAP: Uniform Resource Locator ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4516.txt.pdf RFC4516

RFC4517 LDAP: Syntaxes and Matching Rules ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4517.txt.pdf RFC4517

RFC4518 LDAP: Internationalized String Preparation ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4518.txt.pdf RFC4518

RFC4519 LDAP: Schema for User Applications ​ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc4519.txt.pdf RFC4519