Helmut, I am working with at least two products that use the compare operation to validate a password. Agreed, that is not the best way, but the point here is that the Directory was certainly intended to support this authentication method and we should not preclude it. I am not aware of any chained Bind operation, but my latest X.518 document date back to 1993. Are you telling me that the operation has been added in later versions? Cheers, ....Erik. Erik Skovgaard Siemens Meta-Directory Solutions Phone: +1 604-204-0750 Fax: +1 604-204-0760 -----Original Message----- From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de] Sent: Thursday, July 12, 2001 02:13 To: 'Skovgaard, Erik'; 'Kurt D. Zeilenga' Cc: 'Mark Davidson'; ietf-ldapext@netscape.com Subject: RE: ACM permission Hi Erik, It's not the normal way to use a compare operation on the password for authentication. Why not use the bind and you have no problems with AccessControl. I am not sure whether you want to make a chained bind, but if you do it it is a chained bind and not a compare operation on the userPassword. Helmut > -----Original Message----- > From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com] > Sent: Dienstag, 10. Juli 2001 23:00 > To: 'Kurt D. Zeilenga' > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > Subject: RE: ACM permission > > > Kurt, > > I have applications that use the compare operation on the > userPassword for > authentication. > > BTW, a BIND may result in a compare operation if you use > chaining on the > back end of the server. Has anyone considered that? > > Cheers, ....Erik. > > Erik Skovgaard > Siemens Meta-Directory Solutions > Phone: +1 604-204-0750 > Fax: +1 604-204-0760 > > -----Original Message----- > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > Sent: Monday, July 09, 2001 13:17 > To: Skovgaard, Erik > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > Subject: RE: ACM permission > > > At 09:25 AM 7/9/2001, Skovgaard, Erik wrote: > >That would be a problem. A lot of us still use the userPassword for > >authentication. It must be possible to protect the password > (including > >performing filter matching) yet be able to use the compare > operation on the > >attribute. > > I'm not sure how permissions for compare relate to authentication. > The only operation which performs LDAP authentication is the > bind and its not controlled, per the I-D, by any permissions. > > This said, I support having separate "assert" (compare/search > filter) permissions from read permissions as it is often useful > to allow one to assert a value but not allow them to read all > values. The example (which I believe someone else gave) is > that there may a group where one is allowed to assert that > an entity is a member but not allowed to see the member list. > > Kurt > >
Attachment:
Skovgaard, Erik.vcf
Description: Binary data