Inadequate identification of LDAP attributes

[Steven Legg <steven.legg@enitiatives.com.au>]

The method for forming XACML attribute identifiers for LDAP attributes (and by
association, X.500 attributes) described in Appendix B.4 of the XACML 3.0 core
specification is neither unique nor complete.

The method is incomplete in that it only covers directory attributes that are
defined in RFCs. The most commonly used directory attributes are defined in
RFCs, but a great many attributes are defined in the specifications of other
standards bodies such as ISO and the ITU-T, in industry profiles, in vendor
documentation, or simply in the schema configuration of directories deployed
in user organizations. In the case of my LDAP & X.500 implementation, less than
half of the built-in directory attributes are defined in an RFC. What
XACML identifiers should the majority be given ?

The method is not unique in that many of the attributes defined in an RFC are
defined in more than one RFC. For instance, most of the directory attributes
defined in RFC 2256 are also defined in RFC 4519, which obsoletes RFC 2256.
Which RFC is definitive ? Directory attributes are also permitted to have
more than one name, which is another source of non-uniqueness.

One thing that is true of every well-defined directory attribute is that it
has a globally unique object identifier. This, in the form of an OID URN (RFC
3061), is what the SAML X.500/LDAP Attribute Profile uses to identify directory
attributes. XACML should do the same. For example,
"http://www.ietf.org/rfc/rfc2256.txt#userPassword"; would be replaced by
"urn:oid:2.5.4.35".

By the way, the current normative reference for LDAP is RFC 4510.

Regards,
Steven