[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DN types and IPaddressesindraft-ietf-ldapext-acl-model-04.txt

To: David Ward <DSWARD@novell.com>
Subject: Re: DN types and IPaddressesindraft-ietf-ldapext-acl-model-04.txt
From: Helmut Volpers <Helmut.Volpers@icn.siemens.de>
Date: Tue, 19 Oct 1999 20:15:05 +0200
Cc: stokes@austin.ibm.com, ietf-ldapext@netscape.com
Organization: Siemens
References: <s80c4c19.029@prv-mail20.provo.novell.com>
Resent-date: Tue, 19 Oct 1999 11:16:46 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"EnCYXB.A.cLH.FWLD4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com


David Ward schrieb:
> 
> My point is there is a mechanism to this, define a new DN type.  I don't think you should try to overload the "access id" DN type.  It clearly states the subjectDN must be a "DN that can be authenticated" if DN type is "access id".  If you want to allow anything, why not define a new DN type "other" and define it as a string.
> 
> As you pointed out, the current model assumes the format is LDAPDN if subjectDN is a real DN.  In my opinion this will lead to problems, as venders assume differently about what a "real DN" is.  Is it any string that is looks like a LDAPDN?  Is it only DNs that exist in the directory?

For my opinion it is a LDAPDN, that doesn't mean it have to exist in the
actual server. It can be stored in any other LDAPServer or the DN which
is in my Certificate so you can give me access to some part of your
Novell
directory without having my entry (CN=Volpers, O=siemens). I can bind
with
SSL and Client authentication and if you trust my CA you have my DN.

Helmut
> 
> David
> 
> >>> Ellen Stokes <stokes@austin.ibm.com> 10/19/99 4:14:45 AM >>>
> Thanks for pointing out theconflicting statements.  I'll fix.
> The intent here is to support more than just DN in the subject DN, such as
> ipaddress.  You'll notice that we've defined subjectDN to be a LDAPstring
> instead of a LDAPDN to allow those alternative non-DN subjects.  But if you're
> using a real DN, then it is assumed that the format you'll using in subjectDN
> is LDAPDN (which is really a subset of LDAPstring).
> Ellen
> 
> At 09:48 AM 10/14/1999 -0600, David Ward wrote:
> >Section 6.2.2 defines the DN types access-id, group, and role.  It states,
> "an acess-id is a non-collection (non-group and non-role objects) DN that
> can be authenticated."  If I am understanding this correctly, this means
> the <subjectDN> must be a DN if the <dnType> is access-id.
> >
> >However, in section 8, the subjectDN parameter for the controls &
> extensions is opened up to include "a DN or another string such as
> IPAddress".  How is the subjectDN parameter different than the subjectDN in
> the ACI attribute?  The controls & extensions calculate effective rights
> for a subject.  What would it mean to calculate the effective rights of an
> IP address?
> >
> >According to the definition in 6.2.2, you can not use an IPAddress as the
> subject in the ACI attribute.  If someone wants to support IP addresses as
> the subject in an ACI, section 6.2.2 indicates this can be done by defining
> an additional DN type.
> >
> >David
> >

begin:vcard 
n:Volpers;Helmut
tel;work:+49-89-636-46713
x-mozilla-html:FALSE
url:http://www.siemens.com/bus-com
org:Siemens AG
adr:;;;;;;
version:2.1
email;internet:Helmut.Volpers@icn.siemens.de
title:Directory Server Architect
fn:Helmut Volpers
end:vcard

References:
- Re: DN types and IP addressesindraft-ietf-ldapext-acl-model-04.txt
  - From: David Ward <DSWARD@novell.com>

Prev by Date: Re: I-D update -- draft-ietf-ldapext-ldap-c-api-04.txt
Next by Date: please publish ldap password policy draft
Index(es):
- Chronological
- Thread