[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: New draft on knowledge references in LDAP

To: "Lloyd, Alan" <Alan.Lloyd@ca.com>
Subject: Re: New draft on knowledge references in LDAP
From: Roland Hedberg <roland@catalogix.ac.se>
Date: Thu, 13 Jul 2000 15:00:18 +0200
Cc: ietf-ldapext@netscape.com
In-reply-to: Message from "Lloyd, Alan" <Alan.Lloyd@ca.com> of "Thu, 13 Jul 2000 18:52:23 +1000." <11981F9F5649D411BC92009027D0D18C588619@aspams01.cai.com>

Hi Alan,

> All very good - but what about systems where one has to authenticate the
> users.. and the referred to servers have to know all the users through their
> directory entries. The ...

Admittedly, this is a problem that the draft does not even try to solve.
 
> Therefore for LDAP referrals to work at all in this type of system the
> knowledge of the servers must be "public" to any user of the system.
..snip..
> I think the security considerations should say...Because distributed mutual
> authentication is not possible with LDAP servers - the referral knowledge
> must always be public.

I don't agree.

I can see usages where a organization would like to keep some
references hidden from the anonymous user, but accessible for
users that are authenticated. 
Worth noting in this case is that for some usages several users might 
be allowed to authenticate as the same entry and that therefore the 
amount of information that has to be replicated between cooperating 
servers are rather limited.

-- Roland
------------------------------------------------
Roland Hedberg      phone     : +47 23 08 29 96
Dalsveien 53        mobile(NO): +47 90 66 44 52
No-0775 Oslo        mobile(SE): +46 70 520 420 3
Norway

References:
- RE: New draft on knowledge references in LDAP
  - From: "Lloyd, Alan" <Alan.Lloyd@ca.com>

Prev by Date: Have you managed to keep track of all the latest RFCs and Interne t-drafts related to LDAP?
Next by Date: Unique identifiers for LDAP attributes
Index(es):
- Chronological
- Thread