[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Authmeth/DIGEST-MD5

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Subject: RE: Authmeth/DIGEST-MD5
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Sun, 25 Jul 1999 21:46:21 -0700
Cc: RL 'Bob' Morgan <rlmorgan@cac.washington.edu>, ietf-ldapext@netscape.com
Resent-date: Sun, 25 Jul 1999 21:50:34 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"XZBPyB.A.ruF.6i-m3"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Friday, July 23, 1999 7:42 PM
> 
> "Paul Leach (Exchange)" wrote:
> > I still don't get it. Does the user have accounts _with the 
> same user name_
> > in all those DITs? Or even more than one of them?
> > 
> > A realm is not a DIT. There can be many DITs in a single realm.
> 
> And there can be many realms in a DIT.

Why is it useful to have many realms in a DIT? In fact, what do realms have
to do with DITs at all?

> Giving the user a long list to
> realms to choose from makes no sense if the directory service 
> has stored
> the hash of user:realm:password for a small subset of the 
> possible realms
> the server might be aware of.

So don't give them a long list of realms, if you know that the user could
only be interested in a few. Nothing says that the application protocol
implementation can't interact with the DIGEST implementation to tell it
which realms to return. That's totally outside the realm of the DIGEST
protocol itself.

Paul

Prev by Date: Re: Authmeth/DIGEST-MD5
Next by Date: LDAP Knowledge draft
Index(es):
- Chronological
- Thread