[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Access Control for LDAP

To: "'Ed Reed'" <eer@OnCallDBA.COM>
Subject: RE: Basic Access Control for LDAP
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Fri, 1 Mar 2002 13:36:13 +1100
Cc: <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Importance: Normal
In-reply-to: <sc7dcf5d.013@smtp.oncalldba.com>

Ed,

Ed Reed wrote:
> Actually, my question is a bit more basic - 
> 
> Does allUsers include entries of any and all object classes, or only
> object classes derived from "person", or only "person"s with, say,
> a password attribute present, or some other definition?

As far as Basic Access Control is concerned, an identified user
(i.e. a requestor) is just a distinguished name. The distinguished
name doesn't even have to refer to a real entry, so the object class
of the user's entry, if such an entry exists, is completely irrelevant.

The allUsers case includes not only any identified user, but also
completely anonymous requestors for which no associated distinguished
name was able to be established at bind time.

Regards,
Steven

> 
> Ed
> 
> =================
> Ed Reed
> Reed-Matthews, Inc.
> +1 585 624 2402
> http://www.Reed-Matthews.COM
> Note:  Area code is 585
> 
> >>> "Steven Legg" <steven.legg@adacel.com.au> 02/28/02 01:16AM >>>
> 
> Ed,
> 
> Ed Reed wrote:
> > One question from reading the drafts (for now) -
> > 
> > What constitutes a "user" for the purpose of ACI UserClasses 
> > value allUsers?
> 
> In the first instance it is anyone/anything who manages to bind in,
> regardless of their authorization identity, but it is qualified by
> the AuthenticationLevel and whether a permission is being granted
> or denied.
> 
> For a permission being granted:
> 
> 1) If the AuthenticationLevel is "none" then allUsers 
> includes everyone,
> regardless of authorization identity, anonymous included.
> 
> 2) If the AuthenticationLevel is "simple" then allUsers includes all
> users who have authenticated with at least a user name and password.
> Anonymous users and users who have not been authenticated are 
> excluded.
> 
> 3) If the AuthenticationLevel is "strong" then allUsers includes all
> users who have authenticated with strong credentials, e.g digital
> signatures. Anonymous users, unauthenticated users and password
> authenticated users are excluded.
> 
> For a permission being denied, allUsers includes everyone,
> regardless of authorization identity and authentication level.
> 
> Regards,
> Steven
> 
> 
>

Prev by Date: Call me this weekend (5368ywg@7)
Next by Date: - Oregon Winner!
Index(es):
- Chronological
- Thread