[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authmeth-15 notes

To: "Kurt Zeilenga" <Kurt@OpenLDAP.org>, "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>
Subject: Re: authmeth-15 notes
From: "Roger Harrison" <RHARRISON@novell.com>
Date: Thu, 13 Oct 2005 11:33:58 -0600
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <6.2.1.2.0.20050926211521.02a24ea0@mail.openldap.org>
References: <hbf.20050923ecmo@bombur.uio.no> <6.2.1.2.0.20050926211521.02a24ea0@mail.openldap.org>

I've made significant changes in authmeth-16 to this section based on Kurt's suggestions on the "Invalidated Authorization State" thread. I believe they will resolve the concerns raised below.

Thanks,

Roger

>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 09/26/05 10:35 pm >>>
At 03:26 PM 9/22/2005, Hallvard B Furuseth wrote:
>When was this decided?  Copied from my message
><http://www.openldap.org/lists/ietf-ldapbis/200503/msg00006.html>,
>
>  The last I remember, we gave up on having invalidated associations
>  return a result to a rejected request: thread 'Result code for
>  invalidated associations', 2004.

Well, I think we did reach consensus that result codes
describe why the requested operation could be successfully
completed.  They do not generally describe the authorization
state or other session level details.  LDAP does not offer
a general mechanism for communicating authorization state
changes at the server.

>  The whole mess about them doing so
>  just got too ugly.  Instead, if a request is rejected because the
>  association is invalidated, just send Notice of Disconnection and
>  terminate the session.  I don't remember which result code we ended
>  up with; I think that issue came up in several threads.

I think part of the problem is that we're trying to oversimply
authorization state, something which is inherently complex
given multiple factors and sophisticated policy controls.

If the authorization state is such that the server doesn't
want to continue, then certainly sending a notice of disconnect
and disconnecting would be appropriate.  However, there
are cases where authorization state allows the server to
continue.  Maybe for the requested operation the server
requires new authentication and hence returns
strongerAuthRequired.  Or maybe the server just performs the
operation but at reduced authorization level (for instance,
processing a search operation as if submitted anonymously
instead under the previously established authorization
identity).  That is, some authenticated authorization states
may allow no more (maybe even less) access than some anonymous
states.

Kurt

Follow-Ups:
- Re: authmeth-15 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- authmeth-16 notes
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: authmeth-15 notes
Next by Date: Re: Extension: WG Last Call: draft-ietf-ldapbis-authmeth-15.txt
Index(es):
- Chronological
- Thread