joachim
"Kurt D. Zeilenga" wrote:
At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
>That would be a problem. A lot of us still use the userPassword for
>authentication. It must be possible to protect the password (including
>performing filter matching) yet be able to use the compare operation on the
>attribute.I'm not sure how permissions for compare relate to authentication.
The only operation which performs LDAP authentication is the
bind and its not controlled, per the I-D, by any permissions.This said, I support having separate "assert" (compare/search
filter) permissions from read permissions as it is often useful
to allow one to assert a value but not allow them to read all
values. The example (which I believe someone else gave) is
that there may a group where one is allowed to assert that
an entity is a member but not allowed to see the member list.Kurt