[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL model & remote LDAP servers

To: ietf-ldapext@netscape.com
Subject: ACL model & remote LDAP servers
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 1 Jul 1998 22:02:51 +0200 (MET DST)
Delivered-to: ldapext-archive@critical-angle.com
Resent-date: Wed, 1 Jul 1998 13:03:29 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"2mJjS1.0.291.DOfcr"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

draft-ietf-ldapext-acl-model-00.txt says:

>             The authentication service which validates the user's
>             logon needs to be able to retrieve ssai from the
>             directory, and create a credential which can be consumed
>             by the LDAP server or servers the subject needs to access
>             (This is represented by the arrows labelled 3. and 4. in
>             the diagram).

That's the only reference I can find to authentication across LDAP
servers.  Does it only mean that a user can authenticate to LDAP servers
that contain a replicates of his "master entry"?  Or are LDAP servers
allowed to ask other servers to check credentials?  (I don't think so.
The figure in section 2.3 says nothing about LDAP servers contacting
other LDAP servers to authenticate.  I think I have a point to add to
the LDAP ACL vs X.500 ACI comparison:-)

-- 
Hallvard

Prev by Date: Re: The X.509 SASL document
Next by Date: I-D ACTION:draft-ietf-ldapext-x509-sasl-00.txt
Index(es):
- Chronological
- Thread