[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: When to not deref aliases
> -----Original Message-----
> From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
> Sent: Thursday, January 18, 2001 9:46 AM
> To: 'Salter, Thomas A'; Volpers, Helmut
> Cc: ietf-ldapbis@OpenLDAP.org
> Subject: RE: When to not deref aliases
>
>
>
>
> > -----Original Message-----
> > From: Salter, Thomas A [mailto:Thomas.Salter@unisys.com]
> > Sent: Donnerstag, 18. Januar 2001 15:20
> > To: Volpers, Helmut
> > Cc: ietf-ldapbis@OpenLDAP.org
> > Subject: RE: When to not deref aliases
> >
> >
> > > -----Original Message-----
> > > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
> > > Sent: Thursday, January 18, 2001 9:13 AM
> > > To: 'Kurt D. Zeilenga'; Jim Sermersheim
> > > Cc: ietf-ldapbis@OpenLDAP.org; Thomas.Salter@unisys.com
> > > Subject: RE: When to not deref aliases
> > >
> > ...
> > >
> > > I think X.500 is here a little bit stronger it explicitly
> > > disallow the dereferencing in a Simple Bind.
> > > Dereferencing should not be the expected behavior.
> > >
> > > Helmut
> > > >
> > >
> >
> > How did you arrive at the conclusion that X.500 disallows
> > dereferencing? I
> > was convinced by X.509 that dereferencing is required
> > (because Bind should
> > use Compare to access the entry).
>
> 1. argument:
>
> In X.511
>
> If simple is used, it consists of a name (always the
> distinguished name of
> an object), an optional validity, and an optional password.
> This provides a
> limited degree of security.
>
> (I interpret this "the distinguished name" that it can only
> be one for one
> object)
>
> 2. argument
>
> You have to "common arguments" or extensions for a simple
> bind where you
> have the
> possibility to say the server "dereference" or "don't
> dereference" and I
> don't believe
> that this functionality have a default to "dereference" and
> it could not be
> changed.
>
> Helmut
> >
>
But X.509, Section 6 Simple Authentication Procedure, says
"2) B sends the purported distinguished name and password of A to the
Directory, where the password is checked against that held as the
UserPassword attribute within the directory entry for A (using the Compare
operation of the Directory);"
The default for Compare is to dereference aliases and the Bind doesn't
contain a service control to override it.
Moreover, an X.500 alias entry is unlikely to contain a UserPassword
attribute, so any attempt to authenticate against an alias is sure to fail.