[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth transition table

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: authmeth transition table
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 6 Nov 2003 17:32:30 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <sfa97051.077@prv-mail20.provo.novell.com>
References: <sfa97051.077@prv-mail20.provo.novell.com>

Roger Harrison writes:
> I've checked most of the authmeth transition table for accuracy, and I
> believe it is close to complete. I still have an action item to do a
> final review, but I'd appreciate additional eyes looking at it. The idea
> to split it into TLS and non-TLS, either via two tables or via two areas
> of the same table is one that I'll seriously consider.

In that case I suggest you drop AuthZ ID (J) and maybe TLS Creds (I)
from the table.  All you need to mention is whether or not bind
succeeds.  If one uses EXTERNAL with a J which is not allowed by I, it
fails, just like any other bind.  That's covered elsewhere.

If you keep I, it should not be related to TLS - it should just be the
any auth ID from the currently relevant underlying protection mechanism,
or whatever it is called.  I say "currently relevant" in case one is
using both IPSec and TLS, then EXTERNAL has to choose the certificate
from one of them.  Unless StartTLS should then fail if they do not
match.

-- 
Hallvard

References:
- Re: authmeth transition table
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: authmeth transition table
Next by Date: Processing MUST/MAY and NOT in DIT content rule
Index(es):
- Chronological
- Thread