On Aug 15, 2009, at 4:48 AM, Howard Chu wrote:
Also, on the topic of X.500 compatibility, as Jochen pointed out: >> UserClasses ::= SEQUENCE { >> allUsers [0] NULL OPTIONAL, >> thisEntry [1] NULL OPTIONAL, >> name [2] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,>> userGroup [3] SET SIZE (1..MAX) OF NameAndOptionalUID OPTIONAL,>> -- dn component shall be the name of an >> -- entry of GroupOfUniqueNames>> subtree [4] SET SIZE (1..MAX) OF SubtreeSpecification OPTIONAL }ACIs specifying users are also not just simple DNs.
In theory, yes.I have never seen the optional UID used in practice, and I seriously doubt directory agents consistently and properly implement UID support.
And even if the implementations one was using did well provide UID support, I would not recommend use of the feature. Instead, deployers should instead utilize a naming scheme which produces single use, stable DNs.
The obvious implication is that when a user with an associated x500UniqueIdentifier authenticates to a DSA, this UID must also be included in the authzID that the DSA associates to the session. RFC4511 doesn't mention anything about this.
The LDAP TS likely should include a security consideration (and likely in multiple documents) that deployers should utilize an appropriate naming scheme to avoid the need for UIDs.
-- Kurt _______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www.ietf.org/mailman/listinfo/ldapext