[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: When to not deref aliases

To: "Volpers, Helmut" <helmut.volpers@icn.siemens.de>, "Salter, Thomas A" <Thomas.Salter@unisys.com>
Subject: RE: When to not deref aliases
From: "Salter, Thomas A" <Thomas.Salter@unisys.com>
Date: Thu, 18 Jan 2001 11:31:05 -0500
Cc: ietf-ldapbis@OpenLDAP.org


 > -----Original Message-----
 > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
 > Sent: Thursday, January 18, 2001 9:46 AM
 > To: 'Salter, Thomas A'; Volpers, Helmut
 > Cc: ietf-ldapbis@OpenLDAP.org
 > Subject: RE: When to not deref aliases
 > 
 > 
 > 
 > 
 > > -----Original Message-----
 > > From: Salter, Thomas A [mailto:Thomas.Salter@unisys.com]
 > > Sent: Donnerstag, 18. Januar 2001 15:20
 > > To: Volpers, Helmut
 > > Cc: ietf-ldapbis@OpenLDAP.org
 > > Subject: RE: When to not deref aliases
 > > 
 > > 
 > >  > -----Original Message-----
 > >  > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
 > >  > Sent: Thursday, January 18, 2001 9:13 AM
 > >  > To: 'Kurt D. Zeilenga'; Jim Sermersheim
 > >  > Cc: ietf-ldapbis@OpenLDAP.org; Thomas.Salter@unisys.com
 > >  > Subject: RE: When to not deref aliases
 > >  >
 > > 	... 
 > >  > 
 > >  > I think X.500 is here a little bit stronger it explicitly
 > >  > disallow the dereferencing in a Simple Bind. 
 > >  > Dereferencing should not be the expected behavior.
 > >  > 
 > >  > Helmut
 > >  > > 
 > >  >
 > > 
 > > How did you arrive at the conclusion that X.500 disallows 
 > > dereferencing?  I
 > > was convinced by X.509 that dereferencing is required 
 > > (because Bind should
 > > use Compare to access the entry).
 > 
 > 1. argument:
 > 
 > In X.511
 > 
 > If simple is used, it consists of a name (always the 
 > distinguished name of
 > an object), an optional validity, and an optional password. 
 > This provides a
 > limited degree of security. 
 > 
 > (I interpret this "the distinguished name" that it can only 
 > be one for one
 > object)
 > 
 > 2. argument
 > 
 > You have to "common arguments" or extensions for a simple 
 > bind where you
 > have the
 > possibility to say the server "dereference" or "don't 
 > dereference" and I
 > don't believe
 > that this functionality have a default to "dereference" and 
 > it could not be
 > changed.
 > 
 > Helmut   
 > > 
 > 

But X.509, Section 6 Simple Authentication Procedure, says 
"2) B sends the purported distinguished name and password of A to the
Directory, where the password is checked against that held as the
UserPassword attribute within the directory entry for A (using the Compare
operation of the Directory);"

The default for Compare is to dereference aliases and the Bind doesn't
contain a service control to override it.

Moreover, an X.500 alias entry is unlikely to contain a UserPassword
attribute, so any attempt to authenticate against an alias is sure to fail.

Prev by Date: RE: AttributeTypeValue and binary
Next by Date: RE: When to not deref aliases
Index(es):
- Chronological
- Thread