[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACM permission
Hi Erik,
> -----Original Message-----
> From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com]
> Sent: Donnerstag, 12. Juli 2001 15:37
> To: Volpers, Helmut; Skovgaard, Erik; 'Kurt D. Zeilenga'
> Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> Subject: RE: ACM permission
>
>
> Helmut,
>
> I am working with at least two products that use the compare
> operation to
> validate a password. Agreed, that is not the best way, but
> the point here
> is that the Directory was certainly intended to support this
> authentication
> method and we should not preclude it.
I agree that application use this to validate a password, but I don't think
that any LDAPServer handle this as an authentication.
>
> I am not aware of any chained Bind operation, but my latest
> X.518 document
> date back to 1993. Are you telling me that the operation has
> been added in
> later versions?
No. But if you want to use chaining for authentication (what I don't like)
why not doing it with a bind instead of a compare.
Helmut
>
> Cheers, ....Erik.
>
> Erik Skovgaard
> Siemens Meta-Directory Solutions
> Phone: +1 604-204-0750
> Fax: +1 604-204-0760
>
> -----Original Message-----
> From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
> Sent: Thursday, July 12, 2001 02:13
> To: 'Skovgaard, Erik'; 'Kurt D. Zeilenga'
> Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> Subject: RE: ACM permission
>
>
> Hi Erik,
>
> It's not the normal way to use a compare operation on the password for
> authentication.
> Why not use the bind and you have no problems with AccessControl.
>
> I am not sure whether you want to make a chained bind, but if
> you do it it
> is
> a chained bind and not a compare operation on the userPassword.
>
> Helmut
>
> > -----Original Message-----
> > From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com]
> > Sent: Dienstag, 10. Juli 2001 23:00
> > To: 'Kurt D. Zeilenga'
> > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> > Subject: RE: ACM permission
> >
> >
> > Kurt,
> >
> > I have applications that use the compare operation on the
> > userPassword for
> > authentication.
> >
> > BTW, a BIND may result in a compare operation if you use
> > chaining on the
> > back end of the server. Has anyone considered that?
> >
> > Cheers, ....Erik.
> >
> > Erik Skovgaard
> > Siemens Meta-Directory Solutions
> > Phone: +1 604-204-0750
> > Fax: +1 604-204-0760
> >
> > -----Original Message-----
> > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> > Sent: Monday, July 09, 2001 13:17
> > To: Skovgaard, Erik
> > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> > Subject: RE: ACM permission
> >
> >
> > At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
> > >That would be a problem. A lot of us still use the
> userPassword for
> > >authentication. It must be possible to protect the password
> > (including
> > >performing filter matching) yet be able to use the compare
> > operation on the
> > >attribute.
> >
> > I'm not sure how permissions for compare relate to authentication.
> > The only operation which performs LDAP authentication is the
> > bind and its not controlled, per the I-D, by any permissions.
> >
> > This said, I support having separate "assert" (compare/search
> > filter) permissions from read permissions as it is often useful
> > to allow one to assert a value but not allow them to read all
> > values. The example (which I believe someone else gave) is
> > that there may a group where one is allowed to assert that
> > an entity is a member but not allowed to see the member list.
> >
> > Kurt
> >
> >
>
>