[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL draft: specify credentials (and Weltman proxy draft)
Hi Ellen,
One difference with the Weltman draft is that the proxy-control is
specified with each LDAP operation, not just at the bind time as the
specify-credentials control is.
This per-operation control behaviour is useful for proxying servers as they
can serve multiple clients on the same LDAP connection.
Rob.
Ellen Stokes wrote:
> The 2 drafts are similar but different. The Weltman draft
> specifies the proxy as a LDAPDN. The access control model draft
> talks about the ability to send only the credential, e.g. privilege
> certificate, not the ability to say use this other DN. What the
> server does with credential (e.g. trust it, validate it, reject it)
> is server defined (there's a section in the model that addresses
> this point.
>
> The Weltman draft is currently an individual submission. So the
> question is should we combine the 2 drafts, should we remove the
> specify credentials - perhaps moving it to the Weltman draft, or
> something else or some conbination?
>
> Thoughts?
>
> Ellen
>
> At 11:45 AM 10/28/1999 +0200, Rob Byrne - Sun Microsystems wrote:
> >
> >Hi Debbie,
> >
> >A couple of things on the "specify credentials" control.
> >
> >1. There is (was ?) a draft from Rob Weltman for what he calls a "proxy
> >control" (draft-weltman-ldapv3-proxy-02.txt). There seems to be some
> >overlap here.
> >
> >2. How will the access control model determine whether a user has the
> >right to proxy or not ie. use the "specify credentials control" ?
> >
> >Rob.
> >--iPlanet Directory Group
> >