[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: When to not deref aliases

To: "Volpers, Helmut" <helmut.volpers@icn.siemens.de>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Jim Sermersheim <JIMSE@novell.com>
Subject: RE: When to not deref aliases
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Mon, 29 Jan 2001 13:05:12 +1100
Cc: ietf-ldapbis@OpenLDAP.org
Helmut,

Huh?

The note in Section 9.2 of X.501 actually says:

Note - The set of names of an object thus comprises the set of alias names
for the object, together with the distinguished name of the object.

The difference between this and what you wrote is that 'distinguished name'
is singular. (I don't understand why you went on about attribute values - I
think it is missing the point.)

The definitions in 9.1 do not describe different 'things' but are different
descriptions of the same thing. For example, distinguished name is defined
syntactically in terms os RDNs. Semantically, a directory name is a name
that denotes an object. The fact that there may be many directory names for
an object is due to the presence of aliases, not the mumbo-jumbo about the
true significance of an attribute value. An alias name is 'an alternative
name for an object'. (It is curious the the punctuation seems to be American
but the dictionary seems to be English!) The 'purported name' is any
distinguished name which purports to be (or pretends to be, or appears to
be) a valid name for the operation (here, bind).

Anyway, so much for the semantics. Thomas and I are waiting for you to point
to the line in any X.500 standard that says aliases may not be used in
binds. I think you can't do it.

Ron.

-----Original Message-----
From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de]
Sent: Friday, 26 January 2001 20:10
To: Ramsay, Ron; Kurt D. Zeilenga; Jim Sermersheim
Cc: ietf-ldapbis@OpenLDAP.org
Subject: RE: When to not deref aliases




> -----Original Message-----
> From: Ramsay, Ron [mailto:Ron.Ramsay@ca.com]
> Sent: Donnerstag, 25. Januar 2001 02:11
> To: Kurt D. Zeilenga; Jim Sermersheim
> Cc: ietf-ldapbis@OpenLDAP.org
> Subject: RE: When to not deref aliases
> 
> 
> Regarding your last statement, I don't regard it as a 
> specification error in
> X.509. (It is actually an authentication issue, not a protocol issue.)

Why a specification error ?

This section in X.509 describes on an abstract level how one user A
authenticates himself to another user B and how they may use the Directory
Service in doing so. It does not describe the procedure that has to be run
within the DSA when a User wants to authenticate.

But even this procedure describes that "the distinguished name" of a user
is treated. What this means is described in X.501 9.1 and 9.2.
"Distinguished name", "alias name" and "directory name" are clearly
defined to mean different things. There may be several "distinguished
names" of an object, but they differ only in contexts of attribute values
involved, not really in the attribute values themselves. The NOTE in 9.2
makes it quite clear: "The set of names of an object thus comprises the
set of alias names for the object, together with the distinguished names
of the object.

X.509 6 2) speaks of "the purported distinguished name" of a user. This
cannot be an alias name. The description for other operations in X.511
explicitly speak of "Names", that might be dereferenced if they involve
aliases. Of course a compare operation may be used by user B to
authenticate user A, but as he has nothing but the distinguished name of
A, this compare operation cannot dereference aliases at this place.

Helmut
> 
> However, if you could get the X.500 specs amended, I agree 
> that the LDAP
> statement could be strengthened. Are you able to present it 
> to the X.500 WG?
> 
> In the meantime, I don't think we should hold our breath and 
> SHOULD NOT
> seems a workable solution.
> 
> Ron.
> 
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Thursday, 25 January 2001 6:08
> To: Jim Sermersheim
> Cc: Ramsay, Ron; ietf-ldapbis@OpenLDAP.org
> Subject: RE: When to not deref aliases
> 
> 
> At 11:36 AM 1/24/01 -0700, Jim Sermersheim wrote:
> >Regarding bind, you're right. Concensus seems to be SHOULD 
> NOT (premature
> post on my part). Though I don't believe there has been as 
> much discussion
> regarding compare, most of the arguments are the same. I'll 
> tentatively
> amend.
> >
> >Regarding the use of the SHOULD NOT imperative; it would be 
> useful to add
> text explaining "why not". Kurt, you  mentioned security 
> issues, what are
> they--and do they apply to the compare operation? I don't 
> like adding SHOULD
> NOT just because we think something is wrong but we don't 
> want to break
> existing implementations. 
> 
> Without the statement the specification can be interpreted multiple
> ways, this leads to interoperability problems.  The SHOULD NOT
> clarifies what the intended behavior is while not disallowing
> implementations which have implemented some other behavior.
> 
> I do not believe it necessary to state in the actual specification
> why a particular imperative exists is general.  Of course, key
> interoperability issues and security considerations should be
> discussed within the specification.
> 
> The primary security issues related to aliases and authentication,
> authorization, and access control is related to use of alternative
> names and under specification of semantics (especially in error
> cases).
> 
> I actually believe X.511 nor LDAP did not intend aliases to be
> dereferenced during bind operations.  I view this as a specification
> error which should be corrected in both X.511 and LDAP.
> 
> Kurt
> 
> 
> >Or am I alone in thinking phrases like: "In order to work 
> with existing
> implementations, the server SHOULD NOT do xyz." makes for 
> sloppy protocol?
> >
> >Jim
> >
> >
> >>>> "Ramsay, Ron" <Ron.Ramsay@ca.com> 1/23/01 9:30:29 PM >>>
> >Jim,
> >
> >I thought the consensus on the bind was that servers SHOULD 
> NOT dereference
> >aliases. You have changed this to MUST NOT.
> >
> >There was agreement that there was no way to indicate whether compare
> should
> >dereference aliases. I think this should be a SHOULD NOT in 
> that you are
> >trying to make implementations nonconformant retroactively. 
> That is, you
> are
> >changing the spec, not clarifying it.
> >
> >ModDN is different because dereferencing was not the default 
> for updates in
> >X.500. In that LDAP deferred to X.500 where there was no 
> policy, I believe
> >that MUST is inappropriate for either bind or compare.
> >
> >Ron.
> >
> >-----Original Message-----
> >From: Jim Sermersheim [mailto:JIMSE@novell.com] 
> >Sent: Wednesday, 24 January 2001 5:43
> >To: ietf-ldapbis@OpenLDAP.org 
> >Subject: RE: When to not deref aliases
> >
> >
> >I believe some semblance of consensus has been reached on this issue.
> >
> >- There is some agreement that BindRequest.name is not dereferenced.
> >Compelling arguments include existing behavior among 
> implementations, and
> >the lack of a mechanism to specify alias dereferencing behavior.
> >
> >- There is strong agreement that ModifyDNRequest.entry is 
> not dereferenced.
> >
> >- There is semi-strong agreement that CompareRequest.entry is not
> >dereferenced. The arguments are the same as those for bind.
> >
> >Unless there are enough objections to outweigh current 
> agreements, I'll
> make
> >the following changes:
> >
> >4.2 <info added as last sentence of name description>
> ><-      name: The name of the directory object that the 
> client wishes to
> >bind as. This field may take on a null value (a zero length 
> string) for the
> >purposes of anonymous binds, when authentication has been 
> performed at a
> >lower layer, or when using SASL credentials with a mechanism 
> that includes
> >the LDAPDN in the credentials.
> >>-      name: The name of the directory object that the 
> client wishes to
> >bind as. This field may take on a null value (a zero length 
> string) for the
> >purposes of anonymous binds, when authentication has been 
> performed at a
> >lower layer, or when using SASL credentials with a mechanism 
> that includes
> >the LDAPDN in the credentials. Note that the server will not 
> perform any
> >alias dereferencing in determining the object to bind as.
> >
> >4.9 <info added as last sentence of entry description>
> ><-      entry: the Distinguished Name of the entry to be 
> changed. This
> entry
> >may or may not have subordinate entries.
> >>-      entry: the Distinguished Name of the entry to be 
> changed. This
> entry
> >may or may not have subordinate entries. Note that the 
> server will not
> >dereference any aliases in locating the entry to be changed.
> >
> >4.10 <info added as last sentence of entry description>
> ><-      entry: the name of the entry to be compared with.
> >>-      entry: the name of the entry to be compared with. 
> Note that the
> >server will not dereference any aliases in locating the entry to be
> compared
> >with.
> >
> >Jim
>
Follow-Ups:
- RE: When to not deref aliases
  - From: "Steven Legg" <steven.legg@adacel.com.au>
Prev by Date: RE: When to not deref aliases
Next by Date: RE: When to not deref aliases
Index(es):
- Chronological
- Thread