[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: When to not deref aliases

To: "Salter, Thomas A" <Thomas.Salter@unisys.com>, "Volpers, Helmut" <helmut.volpers@icn.siemens.de>
Subject: RE: When to not deref aliases
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Fri, 19 Jan 2001 11:25:39 +1100
Cc: ietf-ldapbis@OpenLDAP.org

Thomas,

I find your arguments compelling. I agree that the default in X.500 is to
dereference. As with update operations, it would require an explicit
statement not to dereference for bind if this were the required behaviour.

Ron.

-----Original Message-----
From: Salter, Thomas A [mailto:Thomas.Salter@unisys.com]
Sent: Friday, 19 January 2001 3:31
To: Volpers, Helmut; Salter, Thomas A
Cc: ietf-ldapbis@OpenLDAP.org
Subject: RE: When to not deref aliases




 > -----Original Message-----
 > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
 > Sent: Thursday, January 18, 2001 9:46 AM
 > To: 'Salter, Thomas A'; Volpers, Helmut
 > Cc: ietf-ldapbis@OpenLDAP.org
 > Subject: RE: When to not deref aliases
 > 
 > 
 > 
 > 
 > > -----Original Message-----
 > > From: Salter, Thomas A [mailto:Thomas.Salter@unisys.com]
 > > Sent: Donnerstag, 18. Januar 2001 15:20
 > > To: Volpers, Helmut
 > > Cc: ietf-ldapbis@OpenLDAP.org
 > > Subject: RE: When to not deref aliases
 > > 
 > > 
 > >  > -----Original Message-----
 > >  > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
 > >  > Sent: Thursday, January 18, 2001 9:13 AM
 > >  > To: 'Kurt D. Zeilenga'; Jim Sermersheim
 > >  > Cc: ietf-ldapbis@OpenLDAP.org; Thomas.Salter@unisys.com
 > >  > Subject: RE: When to not deref aliases
 > >  >
 > > 	... 
 > >  > 
 > >  > I think X.500 is here a little bit stronger it explicitly
 > >  > disallow the dereferencing in a Simple Bind. 
 > >  > Dereferencing should not be the expected behavior.
 > >  > 
 > >  > Helmut
 > >  > > 
 > >  >
 > > 
 > > How did you arrive at the conclusion that X.500 disallows 
 > > dereferencing?  I
 > > was convinced by X.509 that dereferencing is required 
 > > (because Bind should
 > > use Compare to access the entry).
 > 
 > 1. argument:
 > 
 > In X.511
 > 
 > If simple is used, it consists of a name (always the 
 > distinguished name of
 > an object), an optional validity, and an optional password. 
 > This provides a
 > limited degree of security. 
 > 
 > (I interpret this "the distinguished name" that it can only 
 > be one for one
 > object)
 > 
 > 2. argument
 > 
 > You have to "common arguments" or extensions for a simple 
 > bind where you
 > have the
 > possibility to say the server "dereference" or "don't 
 > dereference" and I
 > don't believe
 > that this functionality have a default to "dereference" and 
 > it could not be
 > changed.
 > 
 > Helmut   
 > > 
 > 

But X.509, Section 6 Simple Authentication Procedure, says 
"2) B sends the purported distinguished name and password of A to the
Directory, where the password is checked against that held as the
UserPassword attribute within the directory entry for A (using the Compare
operation of the Directory);"

The default for Compare is to dereference aliases and the Bind doesn't
contain a service control to override it.

Moreover, an X.500 alias entry is unlikely to contain a UserPassword
attribute, so any attempt to authenticate against an alias is sure to fail.

Prev by Date: RE: When to not deref aliases
Next by Date: RE: AttributeTypeValue and binary
Index(es):
- Chronological
- Thread