[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: New draft on knowledge references in LDAP
comments in line ????
-----Original Message-----
From: Roland Hedberg [mailto:roland@catalogix.ac.se]
Sent: Thursday, July 13, 2000 11:00 PM
To: Lloyd, Alan
Cc: ietf-ldapext@netscape.com
Subject: Re: New draft on knowledge references in LDAP
Hi Alan,
> All very good - but what about systems where one has to authenticate the
> users.. and the referred to servers have to know all the users through
their
> directory entries. The ...
Admittedly, this is a problem that the draft does not even try to solve.
Alan: yet below you say this is not a problem when it is???
> Therefore for LDAP referrals to work at all in this type of system the
> knowledge of the servers must be "public" to any user of the system.
..snip..
> I think the security considerations should say...Because distributed
mutual
> authentication is not possible with LDAP servers - the referral knowledge
> must always be public.
I don't agree.
Alan: logic error warning...
I can see usages where a organization would like to keep some
references hidden from the anonymous user, but accessible for
users that are authenticated.
alan: Therefore - the referal is not public therefore it does not exist in
this context..As said for a referal to exists it needs to be public if the
user needs to use it and if the user does use it - they will be public anon
on the referred server - However, if the user is authenticated on this
server to get a referral to anaother server, then a) he is anon on that
server or they information is replicated to that server so they can be
authenticated..And if they are replicated why have a referal - and one needs
authentication on one server to get a referal to a pulic server where one is
not authenticated - why would i do that???.
Worth noting in this case is that for some usages several users might
be allowed to authenticate as the same entry and that therefore the
amount of information that has to be replicated between cooperating
servers are rather limited.
Interesting - I deal with systems targetting 300m users... we dont have this
problem or even need to think about manageing that with X.500 -
My belief - once you replicate - you create a security issue..and an
operational cost..Its best to buy the technology that removes the problems
rather than systems that create a minefield of operational problems and poor
security eh!
regards as always alan
-- Roland
------------------------------------------------
Roland Hedberg phone : +47 23 08 29 96
Dalsveien 53 mobile(NO): +47 90 66 44 52
No-0775 Oslo mobile(SE): +46 70 520 420 3
Norway