[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACM permission

To: "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>
Subject: RE: ACM permission
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 09 Jul 2001 13:17:09 -0700
Cc: "'Mark Davidson'" <markd@pwd.hp.com>, ietf-ldapext@netscape.com
In-reply-to: <EA78B62757AF1E4799828249310AC4CAB50A75@stca206a>

At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
>That would be a problem.  A lot of us still use the userPassword for
>authentication.  It must be possible to protect the password (including
>performing filter matching) yet be able to use the compare operation on the
>attribute.

I'm not sure how permissions for compare relate to authentication.
The only operation which performs LDAP authentication is the
bind and its not controlled, per the I-D, by any permissions.

This said, I support having separate "assert" (compare/search
filter) permissions from read permissions as it is often useful
to allow one to assert a value but not allow them to read all
values.  The example (which I believe someone else gave) is
that there may a group where one is allowed to assert that
an entity is a member but not allowed to see the member list.

Kurt

Follow-Ups:
- RE: ACM permission
  - From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
- Re: ACM permission
  - From: Joachim Gjesdal <joachim.gjesdal@ecomda.de>

References:
- RE: ACM permission
  - From: "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>

Prev by Date: [no subject]
Next by Date: RE: ACM permission
Index(es):
- Chronological
- Thread