Internet DRAFT - draft-bartz-lsb-policy-rule-components
draft-bartz-lsb-policy-rule-components
Network Working Group L. Bartz
Internet Draft Internal Revenue Service
Expires June, 2003 December, 2002
Logically Succinct Basic Policy Rule Components
< draft-bartz-lsb-policy-rule-components-00.txt >
Status of this Memo
This document is an Internet-Draft and is subject to all provisions of
Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
Logically Succinct Basic Policy Rule Components (LSBPRC) provides
model extensions to the Policy Core Information Model (PCIM) and
implementable extensions to the Policy Core LDAP Schema (PCLS) in
which the logic of conditions and actions can be succinctly expressed
and explicitly interpreted. LSBPRC offers a direct and invariant
connection between the rule designer's intention and the rule
interpreter's evaluation of the rulebase.
Bartz [Page 1]
�
INTERNET-DRAFT LSBPRC December, 2002
Table of Contents
1. Introduction
2. LSBPRC Information Model
2.1. Design Goals
2.2. Operands of Logical Operations
2.2.1. Operands of Comparison Operations
2.2.2. Operands of Assignment Operations
2.2.3. RHS Operand Families
2.2.3.1. Specified Operands
2.2.3.2. Computed Operands
2.2.3.2.1. Dynamic Operand
2.2.3.2.2. LDAP URL Value Operand
2.3. Logical Operations
2.3.1. Conditions as Comparison Operations
2.3.2. Actions as Assignment Operations
2.3.2.1. Assignment Modes
2.3.3. Actions as Invokers of Computational Resources
3. LSBPRC Directory Schema
3.1. LSBPRC Family Objectclasses
3.1.1. lsbCondition
3.1.2. lsbAction
3.2. LSBPRC Attributetypes
3.2.1. Named Operand
3.2.2. Specified Operands
3.2.2.1. String Operand
3.2.2.2. Integer Operand
3.2.2.3. Float Operand
3.2.2.4. Boolean Operand
3.2.2.5. BitString Operand
3.2.2.6. OctetString Operand
3.2.3. Computed Operands
3.2.3.1. Dynamic Operand Value Operand
3.2.3.2. LDAP URL Value Operand
3.2.4. Utility Attributes
3.2.4.1. String Ignore Case Flag
3.2.4.2. String Concatenation Delimiter
3.2.4.3. Assignment Mode
3.3. LSBPRC Implementable Objectclasses
3.3.1. LSBPRC Condition Components
3.3.1.1. String Comparison Operations
3.3.1.1.1. String Equality
3.3.1.1.2. String GreaterThan
3.3.1.1.3. String LessThan
3.3.1.1.4. String Length Equality
3.3.1.1.5. String Length GreaterThan
3.3.1.1.6. String Length LessThan
3.3.1.1.7. String BeginsWith
Bartz [Page 2]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.1.1.8. String EndsWith
3.3.1.1.9. String Contains
3.3.1.1.10. String Exists
3.3.1.2. Integer Comparison Operations
3.3.1.2.1. Integer Equality
3.3.1.2.2. Integer GreaterThan
3.3.1.2.3. Integer LessThan
3.3.1.2.4. Integer Exists
3.3.1.3. Float Comparison Operations
3.3.1.3.1. Float Equality
3.3.1.3.2. Float GreaterThan
3.3.1.3.3. Float LessThan
3.3.1.3.4. Float Exists
3.3.1.4. Boolean Comparison Operations
3.3.1.4.1. Boolean Equality
3.3.1.5. BitString Comparison Operations
3.3.1.5.1. Bit Value Equality
3.3.1.5.2. Bit Value GreaterThan
3.3.1.5.3. Bit Value LessThan
3.3.1.5.4. BitString Exists
3.3.1.6. Delegated Comparison Operations
3.3.1.6.1. Delegation to Distributed Object
3.3.2. LSBPRC Action Components
3.3.2.1. String Assignment Operations
3.3.2.1.1. String Assignment
3.3.2.1.2. String Concatenation
3.3.2.2. Integer Assignment Operations
3.3.2.2.1. Integer Assignment
3.3.2.2.2. Integer PlusEquals
3.3.2.2.3. Integer MinusEquals
3.3.2.2.4. Integer MultEquals
3.3.2.2.5. Integer DivEquals
3.3.2.2.6. Integer ModuloEquals
3.3.2.3. Float Assignment Operations
3.3.2.3.1. Float Assignment
3.3.2.3.2. Float PlusEquals
3.3.2.3.3. Float MinusEquals
3.3.2.3.4. Float MultEquals
3.3.2.3.5. Float DivEquals
3.3.2.3.6. Float ModuloEquals
3.3.2.4. Boolean Assignment Operations
3.3.2.4.1. Boolean Assignment
3.3.2.5. BitString Assignment Operations
3.3.2.5.1. Bitwise Shift Left
3.3.2.5.2. Bitwise Shift Right
3.3.2.5.3. Bitwise Shift Right Zero-fill
3.3.2.5.4. Bitwise AND
3.3.2.5.5. Bitwise OR
Bartz [Page 3]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.2.5.6. Bitwise XOR
3.3.2.5.7. Bitwise OnesComplement
3.3.2.6. Delegated Assignment Operations
3.3.2.6.1. Delegation to Distributed Object
3.3.2.7. Delegated Action to Computing Resource
3.3.2.7.1. Delegation to Distributed Object
3.3.3. LSBPRC Policy Alias
4. Security Considerations
5. Intellectual Property
6. Acknowledgements
7. References
8. Author's Address
9. Full Copyright Statement
1. Introduction
Logically Succinct Basic Policy Rule Components (LSBPRC) provides
model extensions to PCIM [1] and implementable extensions to PCLS [2]
in which the logic of conditions and actions can be succinctly
expressed and explicitly interpreted. LSBPRC offers a direct and
invariant connection between the rule designer's intention and the
rule interpreter's evaluation of the rulebase.
PCIM and PCLS each provide abstract, non-implementable definitions for
the components of a rule; the condition and action components. LSBPRC
provides explicit modeling of broad ranges of conditions as comparison
operations, and of actions as assignment operations. LSBPRC also
provides mechanisms by which policy actions may invoke computing
resources which fulfill a rule's requirement for "action". LSBPRC's
Directory [3,4,5] schema provides concrete, implementable
objectclasses and attributetypes which realize the model.
Expert Systems (ES) [6] is a discipline of the field of Artificial
Intelligence (AI). ES is also commonly known as "rule-based AI". Among
the many disciplines of AI, ES is widely acknowledged as one which has
achieved a comparatively significant level of maturity, with readily
accessible concepts, widely available software, and many successful
and productive applications.
The terminology and concepts of PCIM show a strong correspondence to
the terminology and concepts of Expert Systems. There is no evidence
in PCIM that this correspondence was deliberate. Nevertheless, the
affinity of Policy for Expert Systems, even if unintentional, is
strong. In PCIM, rules are composed of conditions and actions, just as
in Expert Systems. The compositional nature of rules, in which
conditions and actions are components, is common to both PCIM and
Bartz [Page 4]
�
INTERNET-DRAFT LSBPRC December, 2002
Expert Systems. Accordingly, the abstract compositional building
blocks of PCIM and PCLS, when evaluated from the perspective of ES,
are very familiar and compelling.
LSBPRC is inspired, motivated, and informed by the concepts and
patterns of Expert Systems. This is not to say that an Expert System
is the only mechanism which is capable of using LSBPRC's information
model and schema. Rather, that Expert Systems strategies and
methodologies illuminate a path which leads to LSBPRC's concrete and
implementable extensions of the PCIM and PCLS.
In Expert Systems implementations, the comparison operators of
conditional operations, the assignment operators of action operations,
and the operators of action operations which activate or invoke
computational resources are all integrated with the condition and
action components. These operators of conditions and actions convey
the rule designer's precise intentions. This precision empowers the
rule evaluator ( the PDP, in the case of PCIM ), allowing the
capability to faithfully execute the rule as it was designed.
This is the foundational premise of LSBPRC; that the discipline of
Expert Systems offers a "best practices" example for the expression,
persistence, and evaluation of rules. Specifically, a rule is not
defined unless the logic of its condition and action components is
unequivocable.
With the decision to explicitly support the comparison operators of
conditions and the assignment and execution operators of actions
concluded, the question of how many, and which operators arises.
LSBPRC intends to serve as a general purpose model and as a vehicle
for implementation of policy-based systems and applications,
regardless of their particlar information and problem domains.
Accordingly, LSBPRC explicitly supports a limited yet thorough set of
operators which are generally useful. As a hedge, LSBPRC also supports
"escape hatches", built-in mechanisms which allow implementors to
define and invoke their own purpose-built condition and action
operators as distributed objects.
The choice of which condition and action operators are explicitly
supported in LSBPRC is dependent upon evidence of "best practices".
The choice of operators is drawn from primitive comparison and
assignment operators implemented in programming languages such as C
[9] and Java [10], and in scripting languages such as ECMAScript [11].
Again, the domain of Expert Systems reinforces this "best practices"
evidence, as these common operators are generally supported as native
functions.
Unlike PCIM and PCLS, this document presents LSBPRC's information
Bartz [Page 5]
�
INTERNET-DRAFT LSBPRC December, 2002
model and Directory schema in one document. This is not to imply that
the Directory schema is the only possible technical specification of
LSBPRC's information components. Neither does it imply that the
Directory is the only possible repository for the persistence of
LSBPRC's information.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119, reference
[7].
The key words "PDP" and "PEP" are to be interpreted as described in
RFC 3060, reference [1].
NOTE: This draft is dependent upon a Work in Progress [2]. A
subsequent version of this draft will reference [2] by its RFC when
appropriate.
2. LSBPRC Information Model
2.1. Design Goals
Goals which shaped the design of LSBPRC include:
- provide concrete, immediately implementable and useful model and
schema
- provide model and schema for widely-applicable, general purpose
rules, conditions, and actions
- avoid dependence upon, or explicit support for, any particular
application domain of rules, conditions, or actions
- support capability for rule authors to explicitly define the
logical comparison operations of conditions and the logical
assignment operations of actions
- support capability for rule interpreters to unequivocably
evaluate and act upon the expressed intent of rule authors
- explicitly define conditions as comparison operations
- provide a broad range of comparison operations based upon
comparison operations which are widely implemented and used
Bartz [Page 6]
�
INTERNET-DRAFT LSBPRC December, 2002
- explicitly define actions as assignment operations
- provide a broad range of assignment operations based upon
assignment operations which are widely implemented and used
- leverage the rule expression, storage, and evaluation patterns of
Expert Systems
- define typesafe operands for the comparison operations of
conditions and the assignment operations of actions
- provide mechanism for using the results (assigned values) of
rules as operands in other rules
- provide built-in extension mechanisms to support conditions and
actions which are not, should not, or cannot be defined in
this model
- provide explicit mechanisms which can invoke computing resources
to fulfill a rule's requirements for "action"
2.2. Operands of Logical Operations
LSBPRC defines conditions as comparison operations, and actions as
assignment operations. The expression of an operation in this model
requires an operator, which is a specific logical function, and
operands, which are the information components with which the operator
computes. The definitions of LSBPRC's logical operators are
encapsulated as objectclass definitions, as described in sections 2.3
and 3.3 of this document. LSBPRC's operands are described here.
LSBPRC explicitly supports six data types for operands of its logical
operations. These are String, Integer, Float, Boolean, Bit String, and
Octet String. To promote typesafety of logical operations, each
general operand kind is represented by six type-specific instances.
2.2.1. Operands of Comparison Operations
In the comparison operations of conditions, there are two categories
of operands.
First is the operand which represents the value which is the subject
of the comparison. This is called the "Named Operand" of a comparison
operation throughout this model. As with all other LSBPRC operand
Bartz [Page 7]
�
INTERNET-DRAFT LSBPRC December, 2002
kinds, Named Operand supports typesafety in logical operations. The
statically-defined value is always a name, so it is expressed as a
string value. The six instances of Named Operand designate, by their
names and through the semantics of their definitions, the types of the
values to which they refer. The Named Operand can be thought of as
residing in the left-hand side (LHS) of a comparison operation.
Second is the operand which constitutes the comparison criteria. The
model nominates many specific attributetypes to serve this role. Each
is known as a "Comparison Operand" of a comparison operation
throughout this model. The Comparison Operand can be thought of as
residing on the right-hand side (RHS) of a comparison operation.
2.2.2. Operands of Assignment Operations
In the assignment operations of actions, there are two categories of
operands.
First is the operand to which value is assigned by the operation.
This is called the "Named Operand" of an assignment operation in this
model. As with all other LSBPRC operand kinds, Named Operand supports
typesafety in logical operations. The statically-defined value is
always a name, so it is expressed as a string value. The six instances
of Named Operand designate, by their names and through the semantics
of their definitions, the types of the values to which they refer. The
Named Operand can be thought of as residing in the left-hand side
(LHS) of an assignment operation.
Second is the operand which represents the value to be assigned or a
value from which the value to be assigned is computed. This model
nominates many specific attributetypes to serve this role. Each is
known as an "Assignment Operand" of an action operation throughout
this model. The Assignment Operands can be thought of as residing on
the right-hand side (RHS) of a comparison operation.
2.2.3. RHS Operand Families
Comparison Operands and Assignment Operands are drawn from two
families of operands, the Specified Operands and the Computed
Operands.
2.2.3.1. Specified Operands
Bartz [Page 8]
�
INTERNET-DRAFT LSBPRC December, 2002
Specified Operands are typesafe. They represent the domain of constant
and literal information types which are supported for comparison
operations and and assignment operations in this model. The types
include String, Integer, Float, Boolean, Bit String, and Octet String.
Specified Operands provide the mechanism for expressing operands as
constants or literal values in the logical operations of LSBPRC.
2.2.3.2. Computed Operands
Computed Operands require some computation to reveal their values.
LSBPRC defines two types of Computed Operand.
2.2.3.2.1. Dynamic Operand
The static value of a Dynamic Operand is the name of a variable which
is available to the PDP. This name MUST be dereferenced by the PDP so
that the PDP may evaluate the operation using the runtime values which
are associated with the statically-defined name. The dereferenced
name/value-set could be a name/value-set which is provided to the PDP
by the PEP, or a name/value-set which the PDP can glean from its own
environment, or a name/value-set which which has been created or
modified by another rule.
Note that although a Dynamic Operand is single-valued ( one name of
one variable ), the act of dereferencing a Dynamic Operand may reveal
that the variable itself is multi-valued. Implementations which use
Dynamic Operand MAY limit applicability to single-valued variables in
order to simplify processing. Otherwise, implementations SHOULD
iterate over all values of a multi-valued Dynamic Operand.
Use of Dynamic Operand in which the name value designates a variable
which is multi-valued is not defined for usage as Assignment Operand.
As with all other LSBPRC operand kinds, Dynamic Operand supports
typesafety in logical operations. The statically-defined value is
always a name, so it is expressed as a string value. The six instances
of Dynamic Operand designate, by their names and through the semantics
of their definitions, the types of the values to which they refer.
2.2.3.2.2. LDAP URL Value Operand
The static value of an LDAP URL Value Operand is an LDAP URL, as
Bartz [Page 9]
�
INTERNET-DRAFT LSBPRC December, 2002
defined in [8]. LSBPRC constrains the usage of LDAP URL for use in
this model to forms in which one and ONLY one attribute is specified
as the URL's search criteria. This LDAP URL MUST be dereferenced so
that the PDP may evaluate the operation using the values which are
associated with the statically-defined URL.
Note that although an LDAP URL Value Operand is single-valued ( one
URL which solicits values of one attribute ), the act of dereferencing
an LDAP URL Value Operand may reveal that the variable itself is
multi-valued. Implementations which use LDAP URL Value Operand MAY
limit applicability to single-valued variables in order to simplify
processing. Otherwise, implementations SHOULD iterate over all values
of a multi-valued LDAP URL Value Operand.
Use of LDAP URL Value Operand in which the solicited attribute
designates an attribute which is multi-valued is not defined for usage
as Assignment Operand.
As with all other LSBPRC operand kinds, LDAP URL Value Operand
supports typesafety in logical operations. The statically-defined
value is always a URI, so it is expressed as a string value. The six
instances of LDAP URL Value Operand designate, by their names and
through the semantics of their definitions, the types of the values to
which they refer.
2.3. Logical Operations
2.3.1. Conditions as Comparison Operations
LSBPRC conditions are comparison operations which yield boolean
results. Comparison operations are typesafe, by virtue their
objectclass name and semantic description, and by the type
specifications of their attributes.
Many operator-specific and datatype-specific classes are defined in
3.3.1 and subordinate sections of this document.
When the specified comparisons are not sufficient to satisfy an
implementation's requirements, a rule may delegate the comparison
operation to a distributed object, as described in 3.3.1.6. The
delegated comparison operation is identified in the information model
and in the Directory as per either RFC 2713 [13] or RFC 2714 [14].
NOTE:
A subsequent version of this draft may specify Java [10] classes,
Java interfaces, and CORBA IDL (Interface Definition Language)
Bartz [Page 10]
�
INTERNET-DRAFT LSBPRC December, 2002
[12] which are suitable for use in implementing these operations.
2.3.2. Actions as Assignment Operations
LSBPRC actions are assignment operations which assign values to
variables. Assignment operations are typesafe, by virtue their
objectclass name and semantic description, and by the type
specifications of their attributes.
Many operator-specific and datatype-specific classes are defined in
3.3.1 and subordinate sections of this document.
When the specified assignment operations are not sufficient to satisfy
an implementation's requirements, a rule may delegate the assignment
operation to a distributed object, as described in 3.3.2.6. The
delegated assignment operation is identified in the information model
and in the Directory as per either RFC 2713 [13] or RFC 2714 [14].
NOTE:
A subsequent version of this draft may specify Java [10] classes,
Java interfaces, and CORBA IDL (Interface Definition Language)
[12] which are suitable for use in implementing these operations.
2.3.2.2. Assignment Modes
LSBPRC supports several strategies for assigning values to variables.
These include:
- replace any/all Named Operand values by single value
- augment multivalued Named Operand by additional value
- modify all values of Named Operand by assignment operation
- delete specified value from value set of Named Operand
The attribute lsbActionAssignmentMode, implemented as an integer
enumerator, indicates which strategy is specified for each assignment
operation. See 3.2.4.3.
2.3.3. Actions as Invokers of Computational Resources
Bartz [Page 11]
�
INTERNET-DRAFT LSBPRC December, 2002
The Delegated Action component may invoke computing resources which
fulfill a rule's requirement for "action".
3. LSBPRC Directory Schema
NOTE: OIDs for the schema elements in this document have not been
assigned. This note to be removed prior to publication. All uses of
OIDs are indicated symbolically. For example, OID-OC.1 is a
placeholder that will be replaced by a real OID before publication.
3.1. LSBPRC Family Objectclasses
3.1.1. lsbCondition
objectclass ( OID-OC.1
NAME 'lsbCondition'
DESC 'Class from which all lsb Condition classes
inherit. Subtypes specify logically succinct comparison
operations in which the value of a Named Operand is evaluated
with respect to the value of Comparison Operand. The comparison
operation yields a boolean result.'
SUP pcimConditionAuxClass
AUXILIARY
)
3.1.2. lsbAction
objectclass ( OID-OC.2
NAME 'lsbAction'
DESC 'Class from which all lsb Action classes inherit. Subtypes
specify logically succinct assignment operations in which the
value of a Named Operand is assigned using the value of an
Assignment Operand.'
SUP pcimActionAuxClass
AUXILIARY
)
3.2. LSBPRC Attributetypes
Bartz [Page 12]
�
INTERNET-DRAFT LSBPRC December, 2002
3.2.1. Named Operand
attributetype ( OID-AT.1
NAME 'lsbOperandNamedStr'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some value(s) of type String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.2
NAME 'lsbOperandNamedInt'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some value(s) of type Integer.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.3
NAME 'lsbOperandNamedFloat'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some value(s) of type Float.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
Bartz [Page 13]
�
INTERNET-DRAFT LSBPRC December, 2002
attributetype ( OID-AT.4
NAME 'lsbOperandNamedBitStr'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some value(s) of type Bit String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.5
NAME 'lsbOperandNamedBool'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some a value of type Boolean.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.6
NAME 'lsbOperandNamedOctStr'
DESC 'The Named Operand of a logical comparison or assignment
operation. In a Condition, it is the subject of the comparison
operation. In an Action, it is the target of the assignment
operation. This Named Operand type represents a variable which
possesses some value(s) of type Octet String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2. Specified Operands
Bartz [Page 14]
�
INTERNET-DRAFT LSBPRC December, 2002
3.2.2.1. String Operand
attributetype ( OID-AT.7
NAME 'lsbOperandSpecStr'
DESC 'String value of the operand with which the Named
Operand of a condition is compared or with which the Named
Operand of an action is assigned. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2.2. Integer Operand
attributetype ( OID-AT.9
NAME 'lsbOperandSpecInt'
DESC 'Integer value of the operand with which the Named
Operand of a condition is compared or with which the Named
Operand of an action is assigned. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch
ORDERING integerOrderingMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2.3. Float Operand
attributetype ( OID-AT.11
NAME 'lsbOperandSpecFloat'
DESC 'Floating point value of the operand with which the Named
Operand of a condition is compared or with which the Named
Operand of an action is assigned. There is no floating point
attribute type defined for the Directory. Implementors should
adhere to common representations of floating point values,
such as such as 765.482 or 7.65482e+2. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
Bartz [Page 15]
�
INTERNET-DRAFT LSBPRC December, 2002
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2.4. Boolean Operand
attributetype ( OID-AT.13
NAME 'lsbOperandSpecBool'
DESC 'Boolean value of the operand with which the Named
Operand of a condition is compared or with which the Named
Operand of an action is assigned. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
EQUALITY booleanMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2.5. BitString Operand
attributetype ( OID-AT.15
NAME 'lsbOperandSpecBitStr'
DESC 'Bit String value of the operand with which the Named
Operand of a condition is compared or with which the Named
Operand of an action is assigned. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6
EQUALITY bitStringMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.2.6. OctetString Operand
attributetype ( OID-AT.17
NAME 'lsbOperandSpecOctStr'
DESC 'Octet String value of the operand with which the Named
Bartz [Page 16]
�
INTERNET-DRAFT LSBPRC December, 2002
Operand of a condition is compared or with which the Named
Operand of an action is assigned. In lsbCondition types,
this is a Comparison Operand. In lsbAction types, this is
an Assignment Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
EQUALITY octetStringMatch
ORDERING octetStringOrderingMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.3. Computed Operands
3.2.3.1. Dynamic Operand Value Operand
attributetype ( OID-AT.19
NAME 'lsbOperandDynStr'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types,
this is a Comparison Operand. The values of the dereferenced
operand name constitute the domain of values with which the
Named Operand is compared. Comparison operations are obligated
to iterate over all values of the Comparison operand. In
lsbAction types, this is an Assignment Operand. Use of
multivalued Assignment Operands is undefined. This Dynamic
Operand type represents a variable which possesses some value(s)
of type String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.21
NAME 'lsbOperandDynInt'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types,
this is a Comparison Operand. The values of the dereferenced
operand name constitute the domain of values with which the
Named Operand is compared. Comparison operations are obligated
to iterate over all values of the Comparison operand. In
lsbAction types, this is an Assignment Operand. Use of
multivalued Assignment Operands is undefined. This Dynamic
Bartz [Page 17]
�
INTERNET-DRAFT LSBPRC December, 2002
Operand type represents a variable which possesses some value(s)
of type Integer.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.23
NAME 'lsbOperandDynFloat'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types, this
is a Comparison Operand. The values of the dereferenced operand
name constitute the domain of values with which the Named
Operand is compared. Comparison operations are obligated to
iterate over all values of the Comparison operand. In lsbAction
types, this is an Assignment Operand. Use of multivalued
Assignment Operands is undefined. This Dynamic Operand type
represents a variable which possesses some value(s) of type Float.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.25
NAME 'lsbOperandDynBitStr'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types,
this is a Comparison Operand. The values of the dereferenced
operand name constitute the domain of values with which the
Named Operand is compared. Comparison operations are obligated
to iterate over all values of the Comparison operand. In
lsbAction types, this is an Assignment Operand. Use of
multivalued Assignment Operands is undefined. This Dynamic
Operand type represents a variable which possesses some value(s)
of type Bit String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
Bartz [Page 18]
�
INTERNET-DRAFT LSBPRC December, 2002
attributetype ( OID-AT.27
NAME 'lsbOperandDynBool'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types, this
is a Comparison Operand. The values of the dereferenced operand
name constitute the domain of values with which the Named
Operand is compared. Comparison operations are obligated to
iterate over all values of the Comparison operand. In lsbAction
types, this is an Assignment Operand. Use of multivalued
Assignment Operands is undefined. This Dynamic Operand type
represents a variable which possesses a value of type Boolean.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.29
NAME 'lsbOperandDynOctStr'
DESC 'Name of an operand, the value of which is used in
comparison or assignment operations. In lsbCondition types,
this is a Comparison Operand. The values of the dereferenced
operand name constitute the domain of values with which the
Named Operand is compared. Comparison operations are obligated
to iterate over all values of the Comparison operand. In
lsbAction types, this is an Assignment Operand. Use of
multivalued Assignment Operands is undefined. This Dynamic
Operand type represents a variable which possesses some value(s)
of type Octet String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.3.2. LDAP URL Value Operand
attributetype ( OID-AT.31
NAME 'lsbOperandValueLDAPURLStr'
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
Bartz [Page 19]
�
INTERNET-DRAFT LSBPRC December, 2002
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns one or more
values which are of type String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.33
NAME 'lsbOperandValueLDAPURLInt'
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns one or more
values which are of type Integer.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.35
NAME 'lsbOperandValueLDAPURLFloat'
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns one or more
values which are of type Float.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
Bartz [Page 20]
�
INTERNET-DRAFT LSBPRC December, 2002
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.37
NAME 'lsbOperandValueLDAPURLBitStr'
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns one or more
values which are of type Bit String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.39
NAME 'lsbOperandValueLDAPURLBool'
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns a
value of type Boolean.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
attributetype ( OID-AT.41
NAME 'lsbOperandValueLDAPURLOctStr'
Bartz [Page 21]
�
INTERNET-DRAFT LSBPRC December, 2002
DESC 'RFC 2255 LDAP URL which returns values of a single
attribute. In lsbCondition types, this is a Comparison
Operand. The values returned by the LDAP operation
constitute the domain of values with which the Named Operand
is compared. Comparison operations are obligated to iterate
over all values of the Comparison Operand. In lsbAction types,
this is an Assignment Operand. Use of multivalued Assignment
Operands is undefined. This LDAP URL Value Operand represents
an LDAP URL which, when dereferenced, returns one or more
values which are of type Octet String.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.4. Utility Attributes
3.2.4.1. String Ignore Case Flag
attributetype ( OID-AT.43
NAME 'lsbCompareStrIgnoreCase'
DESC 'Indicates whether conditions which compare character
strings should ignore case.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
EQUALITY booleanMatch
SINGLE-VALUE
USAGE userApplications
)
3.2.4.2. String Concatenation Delimiter
attributetype ( OID-AT.44
NAME 'lsbStrCatDelim'
DESC 'Optional delimiter for string concatenation assignment
operations.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseExactMatch
SUBSTR caseExactSubstringsMatch
SINGLE-VALUE
USAGE userApplications
)
Bartz [Page 22]
�
INTERNET-DRAFT LSBPRC December, 2002
3.2.4.3. Assignment Mode
attributetype ( OID-AT.45
NAME 'lsbActionAssignmentMode'
DESC 'Integer value indicates mode of assignment action.
"1": replace any/all Named Operand values by single value.
"2": augment multivalued Named Operand by additional value.
"3": modify all values of Named Operand by assignment operation.
"4": delete specified value from value set of Named Operand.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
EQUALITY integerMatch
ORDERING integerOrderingMatch
SINGLE-VALUE
USAGE userApplications
)
3.3. LSBPRC Implementable Objectclasses
3.3.1. LSBPRC Condition Components
3.3.1.1. String Comparison Operations
3.3.1.1.1. String Equality Comparison
objectclass ( OID-OC.3
NAME 'lsbConditionStrEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The Named Operand is evaluated for lexicographically
"equal" with respect to the Comparison Operand. When the
Named Operand and/or Comparison Operand is multivalued, if
one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.2. String GreaterThan Comparison
objectclass ( OID-OC.4
NAME 'lsbConditionStrGT'
DESC 'Specifies comparison according to the semantic
Bartz [Page 23]
�
INTERNET-DRAFT LSBPRC December, 2002
of "greaterThan". The Named Operand is evaluated for
lexicographically "greaterThan" with respect to the Comparison
Operand. When the Named Operand and/or Comparison Operand
is multivalued, if one comparison operation of any pair of
operands satisfies the comparison operation, the condition
evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.3. String LessThan Comparison
objectclass ( OID-OC.5
NAME 'lsbConditionStrLT'
DESC 'Specifies comparison according to the semantic
of "lessThan". The Named Operand is evaluated for
lexicographically "lessThan" with respect to the Comparison
Operand. When the Named Operand and/or Comparison Operand
is multivalued, if one comparison operation of any pair of
operands satisfies the comparison operation, the condition
evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.4. String Length Equality Comparison
objectclass ( OID-OC.6
NAME 'lsbConditionStrLenEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The length of Named Operand is evaluated for "equal"
with respect to the length of the Comparison Operand. When
the Named Operand and/or Comparison Operand is multivalued,
if one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
Bartz [Page 24]
�
INTERNET-DRAFT LSBPRC December, 2002
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.5. String Length GreaterThan Comparison
objectclass ( OID-OC.7
NAME 'lsbConditionStrLenGT'
DESC 'Specifies comparison according to the semantic of
"greaterThan". The length of Named Operand is evaluated for
"greaterThan" with respect to the length of the Comparison
Operand. When the Named Operand and/or Comparison Operand
is multivalued, if one comparison operation of any pair of
operands satisfies the comparison operation, the condition
evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.6. String Length LessThan Comparison
objectclass ( OID-OC.8
NAME 'lsbConditionStrLenLT'
DESC 'Specifies comparison according to the semantic of
"lessThan". The length of Named Operand is evaluated for
"lessThan" with respect to the length of the Comparison
Operand. When the Named Operand and/or Comparison Operand
is multivalued, if one comparison operation of any pair of
operands satisfies the comparison operation, the condition
evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.7. String BeginsWith Comparison
Bartz [Page 25]
�
INTERNET-DRAFT LSBPRC December, 2002
objectclass ( OID-OC.9
NAME 'lsbConditionStrBeg'
DESC 'Specifies comparison according to the semantic of
"beginsWith". The Named Operand is evaluated for "beginsWith"
with respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.8. String EndsWith Comparison
objectclass ( OID-OC.10
NAME 'lsbConditionStrEnd'
DESC 'Specifies comparison according to the semantic of
"endsWith". The Named Operand is evaluated for "endsWith"
with respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.9. String Contains Comparison
objectclass ( OID-OC.11
NAME 'lsbConditionStrCont'
DESC 'Specifies comparison according to the semantic of
"contains". The Named Operand is evaluated for "contains"
with respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedStr $ lsbCompareStrIgnoreCase )
Bartz [Page 26]
�
INTERNET-DRAFT LSBPRC December, 2002
MAY ( lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.1.1.10. String Exists Comparison
objectclass ( OID-OC.12
NAME 'lsbConditionStrExist'
DESC 'Specifies comparison according to the semantic of
"exists". The Named Operand is evaluated for "exists".'
SUP lsbCondition
MUST ( lsbOperandNamedStr )
AUXILIARY
)
3.3.1.2. Integer Comparison Operations
3.3.1.2.1. Integer Equality Comparison
objectclass ( OID-OC.13
NAME 'lsbConditionIntEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The Named Operand is evaluated for "equal" with
respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedInt )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.1.2.2. Integer GreaterThan Comparison
objectclass ( OID-OC.14
NAME 'lsbConditionIntGT'
DESC 'Specifies comparison according to the semantic
of "greaterThan". The Named Operand is evaluated for
"greaterThan" with respect to the Comparison Operand. When
Bartz [Page 27]
�
INTERNET-DRAFT LSBPRC December, 2002
the Named Operand and/or Comparison Operand is multivalued,
if one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedInt )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.1.2.3. Integer LessThan Comparison
objectclass ( OID-OC.15
NAME 'lsbConditionIntLT'
DESC 'Specifies comparison according to the semantic of
"lessThan". The Named Operand is evaluated for "lessThan"
with respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedInt )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.1.2.4. Integer Exists Comparison
objectclass ( OID-OC.16
NAME 'lsbConditionIntExist'
DESC 'Specifies comparison according to the semantic of
"exists". The Named Operand is evaluated for "exists".'
SUP lsbCondition
MUST ( lsbOperandNamedInt )
AUXILIARY
)
3.3.1.3. Float Comparison Operations
3.3.1.3.1. Float Equality Comparison
Bartz [Page 28]
�
INTERNET-DRAFT LSBPRC December, 2002
objectclass ( OID-OC.17
NAME 'lsbConditionFloatEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The Named Operand is evaluated for "equal" with
respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedFloat )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.1.3.2. Float GreaterThan Comparison
objectclass ( OID-OC.18
NAME 'lsbConditionFloatGT'
DESC 'Specifies comparison according to the semantic
of "greaterThan". The Named Operand is evaluated for
"greaterThan" with respect to the Comparison Operand. When
the Named Operand and/or Comparison Operand is multivalued,
if one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedFloat )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.1.3.3. Float LessThan Comparison
objectclass ( OID-OC.19
NAME 'lsbConditionFloatLT'
DESC 'Specifies comparison according to the semantic of
"lessThan". The Named Operand is evaluated for "lessThan"
with respect to the Comparison Operand. When the Named Operand
and/or Comparison Operand is multivalued, if one comparison
operation of any pair of operands satisfies the comparison
operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedFloat )
Bartz [Page 29]
�
INTERNET-DRAFT LSBPRC December, 2002
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.1.3.4. Float Exists Comparison
objectclass ( OID-OC.20
NAME 'lsbConditionFloatExist'
DESC 'Specifies comparison according to the semantic of
"exists". The Named Operand is evaluated for "exists".'
SUP lsbCondition
MUST ( lsbOperandNamedFloat )
AUXILIARY
)
3.3.1.4. Boolean Comparison Operations
3.3.1.4.1. Boolean Equality Comparison
objectclass ( OID-OC.21
NAME 'lsbConditionBoolEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The Named Operand is evaluated for "equal" with
respect to the Comparison Operand. A boolean Named Operand
should never be multivalued. Neither should the Comparison
Operand.'
SUP lsbCondition
MUST ( lsbOperandNamedBool )
MAY ( lsbOperandSpecBool $ lsbOperandValueLDAPURLBool $
lsbOperandDynBool )
AUXILIARY
)
3.3.1.5. BitString Comparison Operations
3.3.1.5.1. Bit Value Equality Comparison
objectclass ( OID-OC.22
NAME 'lsbConditionBitEQ'
DESC 'Specifies comparison according to the semantic of
"equal". The Named Operand is evaluated for mathematically
Bartz [Page 30]
�
INTERNET-DRAFT LSBPRC December, 2002
"equal" with respect to the Comparison Operand. When the
Named Operand and/or Comparison Operand is multivalued, if
one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedBitStr )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
3.3.1.5.2. Bit Value GreaterThan Comparison
objectclass ( OID-OC.23
NAME 'lsbConditionBitGT'
DESC 'Specifies comparison according to the semantic
of "greaterThan". The Named Operand is evaluated for
mathematically "greaterThan" with respect to the Comparison
Operand. When the Named Operand and/or Comparison Operand
is multivalued, if one comparison operation of any pair of
operands satisfies the comparison operation, the condition
evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedBitStr )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
3.3.1.5.3. Bit Value LessThan Comparison
objectclass ( OID-OC.24
NAME 'lsbConditionBitLT'
DESC 'Specifies comparison according to the semantic of
"lessThan". The Named Operand is evaluated for mathematically
"lessThan" with respect to the Comparison Operand. When the
Named Operand and/or Comparison Operand is multivalued, if
one comparison operation of any pair of operands satisfies
the comparison operation, the condition evaluates as TRUE.'
SUP lsbCondition
MUST ( lsbOperandNamedBitStr )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
Bartz [Page 31]
�
INTERNET-DRAFT LSBPRC December, 2002
)
3.3.1.5.4. BitString Exists Comparison
objectclass ( OID-OC.25
NAME 'lsbConditionBitExist'
DESC 'Specifies comparison according to the semantic of
"exists". The Named Operand is evaluated for "exists".'
SUP lsbCondition
MUST ( lsbOperandNamedBitStr )
AUXILIARY
)
3.3.1.6. Delegated Comparison Operations
3.3.1.6.1. Delegation to Distributed Object
objectclass ( OID-OC.30
NAME 'lsbConditionObjRef'
DESC 'This lsbCondition type delegates the comparison
operation to a distributed object. Use this when [1]
the comparison operation cannot be defined using other
lsbCondition types due to complexity or information domain
uniqueness, or [2] the comparison operation is computationally
infeasible or otherwise inappropriate for computation by
a general purpose PDP. The PDP is responsible for
providing the distributed object with the operands of the
condition. The PDP might optionally provide the distributed
object with other information it received from the PEP,
information assigned via computation of lsbActions, and
more. The distributed object is responsible for returning
a boolean result, which the PDP interprets as the value of
the comparison operation. The identity of the distributed
object is defined by including attribute/value pairs defined
by RFC 2713 or RFC 2714.'
SUP lsbCondition
MAY ( lsbOperandNamedStr $ lsbOperandNamedInt $
lsbOperandNamedFloat $ lsbOperandNamedBitStr $
lsbOperandNamedBool $ lsbOperandNamedOctStr $
lsbOperandSpecStr $ lsbOperandSpecInt $
lsbOperandSpecFloat $ lsbOperandSpecBool $
lsbOperandSpecBitStr $ lsbOperandSpecOctStr $
lsbOperandValueLDAPURLStr $ lsbOperandValueLDAPURLInt $
lsbOperandValueLDAPURLFloat $ lsbOperandValueLDAPURLBitStr $
Bartz [Page 32]
�
INTERNET-DRAFT LSBPRC December, 2002
lsbOperandValueLDAPURLBool $ lsbOperandValueLDAPURLOctStr $
lsbOperandDynStr $ lsbOperandDynInt $
lsbOperandDynFloat $ lsbOperandBitStr $
lsbOperandDynBool $ lsbOperandDynOctStr $
lsbCompareStrIgnoreCase )
AUXILIARY
)
3.3.2. LSBPRC Action Components
3.3.2.1. String Assignment Operations
3.3.2.1.1. String Assignment
objectclass ( OID-OC.31
NAME 'lsbActionStrEQ'
DESC 'Specifies value assignment according to the semantic
of "Equal". The value of the Named Operand is assigned or
modified by "Equal" with respect to the specified Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedStr $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr )
AUXILIARY
)
3.3.2.1.2. String Concatenation Assignment
objectclass ( OID-OC.32
NAME 'lsbActionStrCat'
DESC 'Specifies value assignment according to the semantic of
"STRing conCATenization". The value of the Named Operand is
modified by appending the Assignment Operand.'
SUP lsbAction
MUST ( lsbOperandNamedStr $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecStr $ lsbOperandValueLDAPURLStr $
lsbOperandDynStr $ lsbStrCatDelim )
AUXILIARY
)
3.3.2.2. Integer Assignment Operations
Bartz [Page 33]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.2.2.1. Integer Assignment
objectclass ( OID-OC.33
NAME 'lsbActionIntEQ'
DESC 'Specifies value assignment according to the semantic
of "Equal". The value of the Named Operand is assigned or
modified by "Equal" with respect to the Assignment Operand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.2.2. Integer PlusEquals Assignment
objectclass ( OID-OC.34
NAME 'lsbActionIntPlusEQ'
DESC 'Specifies value assignment according to the semantic
of "PlusEqual". The value of the Named Operand is assigned
or modified by "PlusEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.2.3. Integer MinusEquals Assignment
objectclass ( OID-OC.35
NAME 'lsbActionIntMinusEQ'
DESC 'Specifies value assignment according to the semantic
of "MinusEqual". The value of the Named Operand is assigned
or modified by "MinusEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
Bartz [Page 34]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.2.2.4. Integer MultEquals Assignment
objectclass ( OID-OC.36
NAME 'lsbActionIntMultEQ'
DESC 'Specifies value assignment according to the semantic
of "MultEqual". The value of the Named Operand is assigned
or modified by "MultEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.2.5. Integer DivEquals Assignment
objectclass ( OID-OC.37
NAME 'lsbActionIntDivEQ'
DESC 'Specifies value assignment according to the semantic
of "DivEqual". The value of the Named Operand is assigned
or modified by "DivEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.2.6. Integer ModuloEquals Assignment
objectclass ( OID-OC.38
NAME 'lsbActionIntModuloEQ'
DESC 'Specifies value assignment according to the semantic of
"ModuloEqual". The value of the Named Operand is assigned
the value of NamedOperand modulo AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedInt $ lsbActionAssignmentMode )
MAY ( $ lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
Bartz [Page 35]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.2.3. Float Assignment Operations
3.3.2.3.1. Float Assignment
objectclass ( OID-OC.39
NAME 'lsbActionFloatEQ'
DESC 'Specifies value assignment according to the semantic
of "Equal". The value of the Named Operand is assigned or
modified by "Equal" with respect to the specified Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.2.3.2. Float PlusEquals Assignment
objectclass ( OID-OC.40
NAME 'lsbActionFloatPlusEQ'
DESC 'Specifies value assignment according to the semantic
of "PlusEqual". The value of the Named Operand is assigned
or modified by "PlusEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.2.3.3. Float MinusEquals Assignment
objectclass ( OID-OC.41
NAME 'lsbActionFloatMinusEQ'
DESC 'Specifies value assignment according to the semantic
of "MinusEqual". The value of the Named Operand is assigned
or modified by "MinusEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
Bartz [Page 36]
�
INTERNET-DRAFT LSBPRC December, 2002
AUXILIARY
)
3.3.2.3.4. Float MultEquals Assignment
objectclass ( OID-OC.42
NAME 'lsbActionFloatMultEQ'
DESC 'Specifies value assignment according to the semantic
of "MultEqual". The value of the Named Operand is assigned
or modified by "MultEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.2.3.5. Float DivEquals Assignment
objectclass ( OID-OC.43
NAME 'lsbActionFloatDivEQ'
DESC 'Specifies value assignment according to the semantic
of "DivEqual". The value of the Named Operand is assigned
or modified by "DivEqual" with respect to the Assignment
Operand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.2.3.6. Float ModuloEquals Assignment
objectclass ( OID-OC.44
NAME 'lsbActionFloatModuloEQ'
DESC 'Specifies value assignment according to the semantic of
"ModuloEqual". The value of the Named Operand is assigned
the value of NamedOperand modulo AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedFloat $ lsbActionAssignmentMode )
Bartz [Page 37]
�
INTERNET-DRAFT LSBPRC December, 2002
MAY ( lsbOperandSpecFloat $ lsbOperandValueLDAPURLFloat $
lsbOperandDynFloat )
AUXILIARY
)
3.3.2.4. Boolean Assignment Operations
3.3.2.4.1. Boolean Assignment
objectclass ( OID-OC.45
NAME 'lsbActionBoolEQ'
DESC 'Specifies value assignment according to the semantic
of "Equal". The value of the Named Operand is assigned or
modified by "Equal" with respect to the specified Assignment
Operand. A boolean Named Operand should never be multivalued.'
SUP lsbAction
MUST ( lsbOperandNamedBool $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecBool $ lsbOperandValueLDAPURLBool $
lsbOperandDynBool )
AUXILIARY
)
3.3.2.5. BitString Assignment Operations
3.3.2.5.1. Bitwise Shift Left Assignment
objectclass ( OID-OC.46
NAME 'lsbActionBitShiftL'
DESC 'Specifies value assignment according to the semantic of
"ShiftLeftBy". The value of the Named Operand is assigned
the value of NamedOperand ShiftLeftBy AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.5.2. Bitwise Shift Right Assignment
objectclass ( OID-OC.47
NAME 'lsbActionBitShiftR'
Bartz [Page 38]
�
INTERNET-DRAFT LSBPRC December, 2002
DESC 'Specifies value assignment according to the semantic of
"ShiftRightBy". The value of the Named Operand is assigned
the value of NamedOperand ShiftRightBy AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.5.3. Bitwise Shift Right Zero-fill Assignment
objectclass ( OID-OC.48
NAME 'lsbActionBitShiftRZf'
DESC 'Specifies value assignment according to the semantic
of "ShiftRightByAndZero-fill". The value of the Named
Operand is assigned the value of NamedOperand ShiftRightBy
AssignmentOperand. The displaced positions to the left of the
original bitstring are filled with zeroes, so the new string
has the same number of bits as the initial string.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecInt $ lsbOperandValueLDAPURLInt $
lsbOperandDynInt )
AUXILIARY
)
3.3.2.5.4. Bitwise AND Assignment
objectclass ( OID-OC.49
NAME 'lsbActionBitAND'
DESC 'Specifies value assignment according to the semantic of
"ANDwith". The value of the Named Operand is assigned
the value of NamedOperand ANDwith AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
3.3.2.5.5. Bitwise OR Assignment
Bartz [Page 39]
�
INTERNET-DRAFT LSBPRC December, 2002
objectclass ( OID-OC.50
NAME 'lsbActionBitOR'
DESC 'Specifies value assignment according to the semantic of
"ORwith". The value of the Named Operand is assigned
the value of NamedOperand ORwith AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
3.3.2.5.6. Bitwise XOR Assignment
objectclass ( OID-OC.51
NAME 'lsbActionBitXOR'
DESC 'Specifies value assignment according to the semantic of
"XORwith". The value of the Named Operand is assigned
the value of NamedOperand XORwith AssignmentOperand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr $ lsbActionAssignmentMode )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
3.3.2.5.7. Bitwise OnesComplement Assignment
objectclass ( OID-OC.52
NAME 'lsbActionBitOnesComp'
DESC 'Specifies value assignment according to the semantic of
"OnesComplement". In the absence of an Assignment Operand,
the value of the Named Operand is assigned the "OnesComplement"
of itself. When an Assignment Operand is specified, the Named
Operand is assigned the value of "OnesComplement" of the
Assignment Operand.'
SUP lsbAction
MUST ( lsbOperandNamedBitStr )
MAY ( lsbOperandSpecBitStr $ lsbOperandValueLDAPURLBitStr $
lsbOperandDynBitStr )
AUXILIARY
)
Bartz [Page 40]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.2.6. Delegated Assignment Operations
3.3.2.6.1. Delegation to Distributed Object
objectclass ( OID-OC.53
NAME 'lsbActionObjRef'
DESC 'This lsbAction type delegates the assignment operation
to a distributed object. Use this when [1] the assignment
operation cannot be defined using other lsbAction types
due to complexity or information domain uniqueness, or [2]
the assignment operation is computationally infeasible
or otherwise inappropriate for computation by a general
purpose PDP. The PDP is responsible for providing the
distributed object with the operands of the action. The PDP
might optionally provide the distributed object with other
information it received from the PEP, information assigned via
computation of lsbActions, and more. The distributed object is
responsible for returning a value, which the PDP interprets as
the value to be assigned to the Named Operand. The identity of
the distributed object is defined by including attribute/value
pairs defined by RFC 2713 or RFC 2714.'
SUP lsbAction
MUST ( lsbActionAssignmentMode )
MAY ( lsbOperandNamedStr $ lsbOperandNamedInt $
lsbOperandNamedFloat $ lsbOperandNamedBitStr $
lsbOperandNamedBool $ lsbOperandNamedOctStr $
lsbOperandSpecStr $ lsbOperandSpecInt $
lsbOperandSpecFloat $ lsbOperandSpecBool $
lsbOperandSpecBitStr $ lsbOperandSpecOctStr $
lsbOperandValueLDAPURLStr $ lsbOperandValueLDAPURLInt $
lsbOperandValueLDAPURLFloat $ lsbOperandValueLDAPURLBitStr $
lsbOperandValueLDAPURLBool $ lsbOperandValueLDAPURLOctStr $
lsbOperandDynStr $ lsbOperandDynInt $
lsbOperandDynFloat $ lsbOperandBitStr $
lsbOperandDynBool $ lsbOperandDynOctStr $
lsbStrCatDelim )
AUXILIARY
)
3.3.2.7. Delegated Action to Computing Resource
3.3.2.7.1. Delegation to Distributed Object
See 3.3.2.6.1. The distributed object may perform any activity which
fulfills the rule's requirement for "action".
Bartz [Page 41]
�
INTERNET-DRAFT LSBPRC December, 2002
3.3.3. LSBPRC Policy Alias
objectclass ( OID-OC.54
NAME 'lsbPolicyAlias'
DESC 'Use this alias subtype for aliasing any Policy
subtype. Instances shall also be members of the classes
pcimPolicy and pcimElementAuxClass. As appropriate,
instances shall also be members of other more specific Policy
classes, such as the various Policy AuxClasses and their
supertypes. commonName or cn is used as the naming attribute.'
SUP alias STRUCTURAL
MUST cn
)
4. Security Considerations
LSBPRC is not intended to represent any particular system design or
implementation. LSBPRC is directly usable in a real world system, but
only with application-specific mappings of data to instances of
LSBPRC-defined objectclasses and attributetypes.
Applications and systems which use LSBPRC must define their own
specific security considerations.
LSBPRC is not representative of any real-world system because its
object classes are designed to be independent of any specific
discipline or policy domain.
Even though application-specific security requirements are not
appropriate for LSBPRC, specific security requirements MUST be defined
for each operational real-world application of LSBPRC. Just as there
will be a wide range of operational, real-world systems using LSBPRC,
there will also be a wide range of security requirements for these
systems. Some operational, real-world systems that are deployed using
LSBPRC may have extensive security requirements that impact nearly all
object classes utilized by such a system, while other systems'
security requirements might have very little impact.
The applications discussed above will create the context for applying
operational, real-world, system-level security requirements against
the various implementations of LSBPRC.
In some real-world scenarios, the values associated with certain
properties, within certain instantiated object classes, may represent
information associated with scarce, and/or costly (and therefore
valuable) resources. It may be the case that these values must not be
Bartz [Page 42]
�
INTERNET-DRAFT LSBPRC December, 2002
disclosed to, or manipulated by, unauthorized parties.
Since this document forms the basis for the representation of a policy
data model in a specific format (an LDAP-accessible directory), it is
herein appropriate to reference the data model-specific tools and
mechanisms that are available for achieving the authentication and
authorization implicit in a requirement that restricts read and/or
read- write access to these values stored in a directory.
General LDAP security considerations apply, as documented in RFC3377
[3]. LDAP-specific authentication and authorization tools and
mechanisms are found in the following standards track documents, which
are appropriate for application to the management of security applied
to policy data models stored in an LDAP-accessible directory:
- RFC 2829 (Authentication Methods for LDAP) [15]
- RFC 2830 (Lightweight Directory Access Protocol (v3): Extension
for Transport Layer Security) [16]
5. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain
to the implementation or use of the technology described in this
document or the extent to which any license under such rights might or
might not be available; neither does it represent that it has made any
effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11.
Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
6. Acknowledgements
Bartz [Page 43]
�
INTERNET-DRAFT LSBPRC December, 2002
The "Security Considerations" section of this document is lifted with
thanks, from [2]. It is edited it only lightly for use in this
document.
7. References
[1] Moore, B., and E. Ellesson, J. Strassner, A. Westerinen "Policy
Core Information Model -- Version 1 Specification", RFC 3060,
February 2001.
[2] Strassner, J., and B. Moore, R. Moats, E. Ellesson "Policy
Core LDAP Schema", draft-ietf-policy-core-schema-16.txt, a
Work in Progress of the IETF Policy Framework Working Group,
October 2002.
[3] Hodges, J., and Morgan R., "Lightweight Directory Access
Protocol (v3): Technical Specification", RFC3377, September
2002.
[4] ITU-T Rec. X.500, "The Directory: Overview of Concepts,
Models and Service", 1993.
[5] ITU-T Rec. X.501, "The Directory: Models", 1993.
[6] Hluck, MAJ George, "Expert Systems Tutorial"
http://carlisle-www.army.mil/usacsl/divisions/std/branches/
keg/expert/es.htm
NOTE: preceding URL is line-wrapped
[7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[8] Howes, T., and M. Smith, "The LDAP URL Format", RFC 2255,
December 1997.
[9] Kernighan, Brian W., and Dennis M. Ritchie, "The C Programming
Language, Second Edition" Prentice Hall, Inc., 1988.
ISBN 0-13-110362-8 (paperback), 0-13-110370-9 (hardback).
[10] Ken Arnold, James Gosling, David Holmes "The Java(tm)
Programming Language," Third Edition, ISBN 0-201-70433-1.
[11] Standard ECMA-262, ECMAScript Language Specification
http://www.ecma.ch/ecma1/STAND/ECMA-262.HTM
[12] The Object Management Group, "Common Object Request
Bartz [Page 44]
�
INTERNET-DRAFT LSBPRC December, 2002
Broker Architecture Specification 3.01," http://www.omg.org
[13] Ryan, V., and S. Seligman, R. Lee, "Schema for Representing
Java(tm) Objects in an LDAP Directory", RFC 2713, October 1999
[14] Ryan, V., and R. Lee, S. Seligman, "Schema for Representing
CORBA Object References in an LDAP Directory", RFC 2714,
October 1999
[15] M. Wahl, H. Alvestrand, J. Hodges, R. Morgan, "Authentication
Methods for LDAP", RFC 2829, May 2000
[16] J. Hodges, R. Morgan, M. Wahl, "Lightweight Directory Access
Protocol (v3): Extension for Transport Layer Security", RFC
2830, May 2000.
8. Author's Address
Larry Bartz
Internal Revenue Service
575 N. Pennsylvania Street
Indianapolis, IN 46204
USA
Phone: +1 317 226-7060
Email: larry.bartz@irs.gov
9. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English.
Bartz [Page 45]
�
INTERNET-DRAFT LSBPRC December, 2002
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT
NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN
WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
This Internet Draft Expires June, 2003
Bartz [Page 46]
�
