Kurt, I have applications that use the compare operation on the userPassword for authentication. BTW, a BIND may result in a compare operation if you use chaining on the back end of the server. Has anyone considered that? Cheers, ....Erik. Erik Skovgaard Siemens Meta-Directory Solutions Phone: +1 604-204-0750 Fax: +1 604-204-0760 -----Original Message----- From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] Sent: Monday, July 09, 2001 13:17 To: Skovgaard, Erik Cc: 'Mark Davidson'; ietf-ldapext@netscape.com Subject: RE: ACM permission At 09:25 AM 7/9/2001, Skovgaard, Erik wrote: >That would be a problem. A lot of us still use the userPassword for >authentication. It must be possible to protect the password (including >performing filter matching) yet be able to use the compare operation on the >attribute. I'm not sure how permissions for compare relate to authentication. The only operation which performs LDAP authentication is the bind and its not controlled, per the I-D, by any permissions. This said, I support having separate "assert" (compare/search filter) permissions from read permissions as it is often useful to allow one to assert a value but not allow them to read all values. The example (which I believe someone else gave) is that there may a group where one is allowed to assert that an entity is a member but not allowed to see the member list. Kurt
Attachment:
Skovgaard, Erik.vcf
Description: Binary data