[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: C LDAP API: security considerations

To: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>, "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, ietf-ldapext@netscape.com
Subject: RE: C LDAP API: security considerations
From: Howard Chu <hyc@highlandsun.com>
Date: Sun, 14 Nov 1999 23:07:54 -0800
Importance: Normal
In-reply-to: <19398D273324D3118A2B0008C7E9A569051BEA85@SIT.platinum.corp.microsoft.com>
Resent-date: Sun, 14 Nov 1999 23:12:43 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"T_mT8D.A.AWG.eJ7L4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

>>>
Policies are set by administrators, not client applications, and the admins
expect the policies to be enforced across all applications. That means that
policy enforcement must not be left to the application.
That's why, even if you did have an example of a policy, I'd say that it
should be enforced below the LDAP API, not by the application.
Paul
<<<

This implies a much simpler solution - add a flag to the returned referral
indicating the level of authentication that must be used to chase the
referral. Such a flag should be stored with the individual referral nodes.
Clearly whoever placed the referral record into the directory will have a
better idea of the correct policy than anyone else in the chain of events.
Best would be a global switch in the server config for a default, which
could be overridden on specific referral records by privileged admins.
  -- Howard

References:
- RE: C LDAP API: security considerations
  - From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>

Prev by Date: RE: C LDAP API: security considerations
Next by Date: Re: Knowledge Reference Drafts
Index(es):
- Chronological
- Thread