[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
I-D ACTION:draft-ietf-ldapext-hobs-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the LDAP Extension Working Group of the IETF.
Title : Hierarchical Operational Bindings - a profile
Author(s) : K. Richardson, A. Hodson, E. Andersen,
L. Visser, P. Fantou, J. Pasquerau
Filename : draft-ietf-ldapext-hobs-00.txt
Pages : 21
Date : 31-Dec-97
Where LDAP servers are based on X.500 DSAs for the holding of
distributed Directory information, the maintenance of the
necessary security and networking relationships between DSAs is
an important factor to consider.
The '93 X.500 Directory standards define HOB (Hierarchical
Operational Binding) procedures for the creation of a new naming
context in another DSA, and also for the maintenance of the
relationship between two DSAs where one holds a superior naming
context and the other holds a subordinate naming context. The
standards also define the use of the Directory Operational
Binding Management Protocol (DOP) to mediate these procedures.
The use of HOBs provides a major simplification for managers of
X.500 systems, since it provides a way to update policies
automatically from one DSA to another. But practical design for
HOBs requires decisions in a number of respects not fully
treated by the standards. This document simplifies the
implementor's task by defining viable and practical subsets of
the standards and by clarifying some of the issues left
undefined by the standards.
HOBs always represent an intimate relationship between DSAs
which must be protected from masquerade. A method of providing
this protection is given in the '93 Directory standards by
requiring mutual authentication at the bind between DSAs. HOBS
will normally only be established between DSAs owned by a single
administrative authority, so security needs to be considered in
this somewhat easier context than complete openness.
Although simple unprotected authentication (name and password)
can be a valid option in an already-secure environment, simple
protected authentication using an encrypted password is
potentially a much more secure technique, as is strong
authentication using public key cryptography. All such
techniques are validly used within the scope of this profile, as
are techniques not defined but permitted by the Directory
standards (these are known as ''external'' methods).
Support of simple authentication is mandated for all
implementations compliant with this profile. Where this is not
adequate, purchasers need to ensure that their requirements for
are met.
Internet-Drafts are available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
"get draft-ietf-ldapext-hobs-00.txt".
A URL for the Internet-Draft is:
ftp://ds.internic.net/internet-drafts/draft-ietf-ldapext-hobs-00.txt
Internet-Drafts directories are located at:
Africa: ftp.is.co.za
Europe: ftp.nordu.net
ftp.nis.garr.it
Pacific Rim: munnari.oz.au
US East Coast: ds.internic.net
US West Coast: ftp.isi.edu
Internet-Drafts are also available by mail.
Send a message to: mailserv@ds.internic.net. In the body type:
"FILE /internet-drafts/draft-ietf-ldapext-hobs-00.txt".
NOTE: The mail server at ds.internic.net can return the document in
MIME-encoded form by using the "mpack" utility. To use this
feature, insert the command "ENCODING mime" before the "FILE"
command. To decode the response(s), you will need "munpack" or
a MIME-compliant mail reader. Different MIME-compliant mail readers
exhibit different behavior, especially when dealing with
"multipart" MIME messages (i.e. documents which have been split
up into multiple messages), so check your local documentation on
how to manipulate these messages.
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.