[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP terminology proposal

To: IETF ldapbis WG <ietf-ldapbis@OpenLDAP.org>
Subject: Re: LDAP terminology proposal
From: Mark Smith <mcs@pearlcrescent.com>
Date: Tue, 16 Nov 2004 11:40:43 -0500
In-reply-to: <Pine.LNX.4.61.0411151700590.9646@perp.cac.washington.edu>
References: <6.1.2.0.0.20041109134102.03279cc0@127.0.0.1> <Pine.LNX.4.61.0411151204380.23273@perp.cac.washington.edu> <6.1.2.0.0.20041115094400.02f1f8d0@127.0.0.1> <Pine.LNX.4.61.0411151700590.9646@perp.cac.washington.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910

RL 'Bob' Morgan wrote:

OK, I believe we have consensus on this new terminology, and so direct the document editors to revise the drafts accordingly. This affects the protocol and authmeth drafts, and maybe the url draft, but not any of the others as far as I can tell.

I modified the second and third paragraphs of [LDAPURL]'s Security Considerations section to avoid the term "connection" (which was used quite a bit). In every instance except the last sentence of the third paragraph, I replaced "connection" with "LDAP session." Here is the revised text:

  The use of security mechanisms when processing LDAP URLs requires
  particular care, since clients may encounter many different servers
  via URLs, and since URLs are likely to be processed automatically,
  without user intervention. A client SHOULD have a user-configurable
  policy that controls which servers the client will establish LDAP
  sessions with using which security mechanisms, and SHOULD NOT
  establish LDAP sessions that are inconsistent with this policy.  If a
  client chooses to reuse an existing LDAP session when resolving one
  or more LDAP URLs, it MUST ensure that the session is compatible with
  the URL and that no security policies are violated.

  Sending authentication information, no matter the mechanism, may
  violate a user's privacy requirements.  In the absence of specific
  policy permitting authentication information to be sent to a server,
  a client should use an anonymous LDAP session.  (Note that clients
  conforming to previous LDAP URL specifications, where all LDAP
  sessions are anonymous and unprotected, are consistent with this
  specification; they simply have the default security policy.)  Simply
  opening a transport connection to another server may violate some
  users' privacy requirements, so clients should provide the user with
  a way to control URL processing.

Comments?

-Mark

Follow-Ups:
- Re: LDAP terminology proposal
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: LDAP terminology proposal
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

References:
- LDAP terminology proposal
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: LDAP terminology proposal
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
- Re: LDAP terminology proposal
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: LDAP terminology proposal
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Re: LDAP filter question
Next by Date: Re: LDAP terminology proposal
Index(es):
- Chronological
- Thread