[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACM permission

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>
Subject: RE: ACM permission
From: Bruce Greenblatt <bgreenblatt@directory-applications.com>
Date: Mon, 09 Jul 2001 14:20:05 -0700
Cc: "'Mark Davidson'" <markd@pwd.hp.com>, ietf-ldapext@netscape.com
In-reply-to: <5.1.0.14.0.20010709130810.02eeee98@127.0.0.1>
References: <EA78B62757AF1E4799828249310AC4CAB50A75@stca206a>

At 01:17 PM 7/9/01 -0700, Kurt D. Zeilenga wrote:

At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
>That would be a problem.  A lot of us still use the userPassword for
>authentication.  It must be possible to protect the password (including
>performing filter matching) yet be able to use the compare operation on the
>attribute.

I'm not sure how permissions for compare relate to authentication.
The only operation which performs LDAP authentication is the
bind and its not controlled, per the I-D, by any permissions.

I think that what Erik is saying is that many applications leverage LDAP for their own authentication. When a user tries to access that application, then internally the application takes the user supplied password, and issues an LDAP compare operation to verify the password's correctness. This appears to be a widely used (but primitive) form of "single sign on".

Bruce


==============================================
Bruce Greenblatt, Ph. D.
Directory Tools and Application Services, Inc.
http://www.directory-applications.com

References:
- RE: ACM permission
  - From: "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>
- RE: ACM permission
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: ACM permission
Next by Date: Congratulations! Order# 9540 29189
Index(es):
- Chronological
- Thread