[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: access scheme (fwd)

To: ietf-ldapext@netscape.com
Subject: RE: access scheme (fwd)
From: Kurt Spanier <zrnsk01@zdv.uni-tuebingen.de>
Date: Fri, 6 Mar 1998 09:11:18 +0100 (CET)
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Fri, 6 Mar 1998 00:11:34 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"diIUj.0.Pk6.r-w_q"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Third try...

Some days ago I tried twice to answer to an artikel by Joey Oravec
<joey@sun.science.wayne.edu> on the ldap@umich.edu list without 
success (at least I didn't get it back from the list.) Also a writing
to ldap-owner@umich.edu was not answered.

Anyhow, 'cause I think the topic is more for the extension list, I
will try to get my mail through on this channel...

Best regards,

Kurt Spanier

---------- Forwarded message ----------
Date: Mon, 2 Mar 1998 13:10:17 +0100 (CET)
From: Kurt Spanier <zrnsk01@zdv.uni-tuebingen.de>
Reply-To: Kurt Spanier <kurt.spanier@zdv.uni-tuebingen.de>
To: Joey Oravec <joey@sun.science.wayne.edu>
Cc: ldap@umich.edu
Subject: RE: access scheme

I think, there's still another grain of salt:

What, if you drive a public directory, where both external and internal
users have access to the same data base. However, you want to show more
information to the latter, but a restricted view to the former.

Now you say: THAT'S EASY, JUST USE THE DNs.

But wait! System administration is widely dispersed throughout your
organization and as long as the directory stuff is not really NEEDED 
for daily life no admin will spare a single thought to register
with your directory. PCs don't need LDAP to function, they need DNS.
And once you have an IP address, you can have tenth of individuals using
that same machine. Why registerring them all?

So what about DNs or distributing passwords or building a central
authentication facility? As you might have catched, my background is not a
well-organized Company but a loosly coupled University where a chaos
scientist would his fun to work...

And a second point: there ARE indeed well-known LDAP clients integrated in
well-known WWW browsers that don't have any means of configuring a DN for
LDAP access :-(

What could you base your access restriction on in THAT situation ???

Regards,

Kurt

On Sun, 1 Mar 1998, Joey Oravec wrote:

> Date: Sun, 1 Mar 1998 18:13:07 -0500 (EST)
> From: Joey Oravec <joey@sun.science.wayne.edu>
> To: MALCOLM BOFF <Malcolm_Boff@compuserve.com>
> Cc: ldap@umich.edu
> Subject: RE: access scheme
> 
> On Sun, 1 Mar 1998, MALCOLM BOFF wrote:
> 
> > The strictly corredt answer to this question is that 
> > 'ldap' does not support access control. The server side
> > of the Dictionary (X500, slapd etc) permits a level of
> > ACL which varies from system to system and is not 
> > specified specifically by the DAP protocol.
> 
> Okay, so I used the wrong term. I guess I was referring to the UMich slapd
> 3.3 and the Netscape server.
> 
> > The X500
> > system that I have been working with over the past 2
> > years contains a very comprehensive ACL which permits
> > the DIB and DSA administrators the ability to provide
> > very thorough security control.
> 
> I'm still not exactly clear. Do you use something like a userPassword=
> entry with that comprehensive ACL, or do you use an external database for
> authentication?
> 
> I saw an NIS patch somewhere, and it seemed like if I scrapped Kerb5 and
> went to NIS as my user database, I could hook it in. But I find it hard to
> believe that everybody uses that. Is it the case that people usually
> sets up LDAP as an entirely independant password database using
> userPassword instead of hooking into some central authentication source?
> 
> Or, has everybody (anybody?) BUT me managed to get UMich slapd 3.3 which
> has Kerb4 support working with wax/max/xax500 using an MIT Kerb5 server? 
> 
> > It needs to be said however that this is not without a
> > penalty. Performing 'ldap searches' forces authentication
> > to be invoked at many levels and in my view this is
> > an area where the UMICH developers left out a very 
> > important call namely 'ldap_list' this permits a rapid
> > lookup without the authentication overhead and is 
> > particularly useful for use in web utilisation.
> 
> I'm not too sure about the internals of LDAP, but U-Mich has their
> services setup with Kerb4. I understand they're not exactly running
> www.switchboard.com on their server, but I would guess that they have a
> substantial number of lookups with their mail500 and other mail services.
> It seems to work pretty well for them, right?
> 
> I'm just wondering if I'm heading in the wrong direction looking for some
> central authentication system. LDAP is not useful enough to be the only
> "different" service on a network; the convenience of mail500 isn't worth
> having an entirely seperate password. So how does everybody else do it?
> Force with heavy artillery?
> 
> -joey
> 
> 

----------==========#########>>>>>ZDV<<<<<#########==========----------

X.500:                                              Tel.:
   Kurt Spanier, Zentrum fuer Datenverarbeitung,      +49 7071 29-70334
   Universitaet Tuebingen, DE
SMTP-Mail:                                          FAX.:
   kurt.spanier@zdv.uni-tuebingen.de                   +49 7071 29-5912
Snail-Mail:
   Dr. Kurt Spanier, Zentrum fuer Datenverarbeitung,
   Universitaet Tuebingen, Brunnenstrasse 27, D-72074 Tuebingen
   (ab 1.3.98: Waechterstrasse 76, D-72074 Tuebingen)
PGP-Public-Key:
   finger "Kurt Spanier"@x500.uni-tuebingen.de

----------==========##########>>>>>@<<<<<##########==========----------

Prev by Date: My Secret Weapon
Next by Date: Request for The LDAP WG meeting times
Index(es):
- Chronological
- Thread