RE: Authmeth/DIGEST-MD5

["Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>]

I still don't get it. Does the user have accounts _with the same user name_
in all those DITs? Or even more than one of them?

A realm is not a DIT. There can be many DITs in a single realm.

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Friday, July 23, 1999 4:55 PM
> To: RL 'Bob' Morgan
> Cc: ietf-ldapext@netscape.com
> Subject: Re: Authmeth/DIGEST-MD5
> 
> 
> Yes, you are thinking in terms of an enterprise... I am 
> thinking in terms
> of a commerical hosting service.  If the services is hosting 
> 1000s independent
> DITs than 1000 or more realms would have to be sent to 
> client.  Besides being a
> long list, the server administrator may not want to expose 
> all realms to all
> users (because maybe he doen't want left to know about right 
> and vica versa).
> Without a target, you force the service provide to use 
> multiple IP:port pairs
> for each independent DIT they host.  Yuk!

There don't have to be many IP addresses; there can be many DNS names.

This is not an authentication issue. Either LDAP allows the caller to
specify the DIT they want to bind early enough that the server can use that
info to influence authentication, or it doesn't. HTTP, for example, easily
supports many virtual web sites on a single host because the GET request
supplies the full site name; hence it is easy for an HTTP server to
determine what realm to send back to authenticate a particular request.

Paul