[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC2256: userPassword

To: 'Bruce Greenblatt' <bgreenblatt@dtasi.com>, dboreham@netscape.com, " ietf-ldapext@netscape.com" <ietf-ldapext@netscape.com>
Subject: RE: RFC2256: userPassword
From: Paul Leach <paulle@microsoft.com>
Date: Thu, 01 Jul 1999 09:58:52 -0700
Resent-date: Thu, 01 Jul 1999 10:05:47 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"eWcCOC.A.kjF.l_5e3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


> -----Original Message-----
> From: Bruce Greenblatt [mailto:bgreenblatt@dtasi.com]
> Sent: Thursday, July 01, 1999 7:42 AM
> To: dboreham@netscape.com; ietf-ldapext@netscape.com
> Subject: Re: RFC2256: userPassword
> 
> 
> Novell Directory Service has this extremely useful operation "Verify
> Password" that is available through its API set.  This allows 
> third party
> applications to authenticate users to its service in a way that is
> integrated with the directory without acutally have to log in to the
> directory on their behalf.  So, the application knows the 
> user's password
> for an instant...  Is this type of operation generally useful???

It completely depends on how it is implemented. I don't see how it can be
secure and do less than logging in to the directory would do. So, unless
it;s just a convenience API wrapper around logging in to the directory, I'd
be suspicious of it.

Paul

Prev by Date: Re: RFC2256: userPassword
Next by Date: RE: RFC2256: userPassword
Index(es):
- Chronological
- Thread