[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN types and IP addressesindraft-ietf-ldapext-acl-model-04.txt

To: stokes@austin.ibm.com
Subject: Re: DN types and IP addressesindraft-ietf-ldapext-acl-model-04.txt
From: David Ward <DSWARD@novell.com>
Date: Tue, 19 Oct 1999 10:46:50 -0600
Cc: ietf-ldapext@netscape.com
Content-disposition: inline
Resent-date: Tue, 19 Oct 1999 09:48:20 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"h_810C.A.qPC.gCKD4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

My point is there is a mechanism to this, define a new DN type.  I don't think you should try to overload the "access id" DN type.  It clearly states the subjectDN must be a "DN that can be authenticated" if DN type is "access id".  If you want to allow anything, why not define a new DN type "other" and define it as a string.  

As you pointed out, the current model assumes the format is LDAPDN if subjectDN is a real DN.  In my opinion this will lead to problems, as venders assume differently about what a "real DN" is.  Is it any string that is looks like a LDAPDN?  Is it only DNs that exist in the directory?

David

>>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 4:14:45 AM >>>
Thanks for pointing out theconflicting statements.  I'll fix.
The intent here is to support more than just DN in the subject DN, such as
ipaddress.  You'll notice that we've defined subjectDN to be a LDAPstring
instead of a LDAPDN to allow those alternative non-DN subjects.  But if you're
using a real DN, then it is assumed that the format you'll using in subjectDN
is LDAPDN (which is really a subset of LDAPstring).
Ellen

At 09:48 AM 10/14/1999 -0600, David Ward wrote:
>Section 6.2.2 defines the DN types access-id, group, and role.  It states,
"an acess-id is a non-collection (non-group and non-role objects) DN that
can be authenticated."  If I am understanding this correctly, this means
the <subjectDN> must be a DN if the <dnType> is access-id.  
>
>However, in section 8, the subjectDN parameter for the controls &
extensions is opened up to include "a DN or another string such as
IPAddress".  How is the subjectDN parameter different than the subjectDN in
the ACI attribute?  The controls & extensions calculate effective rights
for a subject.  What would it mean to calculate the effective rights of an
IP address?  
>
>According to the definition in 6.2.2, you can not use an IPAddress as the
subject in the ACI attribute.  If someone wants to support IP addresses as
the subject in an ACI, section 6.2.2 indicates this can be done by defining
an additional DN type.
>
>David
>

Follow-Ups:
- Re: DN types and IPaddressesindraft-ietf-ldapext-acl-model-04.txt
  - From: Helmut Volpers <Helmut.Volpers@icn.siemens.de>

Prev by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: Re: grant / deny precedenceindraft-ietf-ldapext-acl-model-04.txt
Index(es):
- Chronological
- Thread