Re: LDAP URI extensions for SASL/StartTLS

["Kurt D. Zeilenga" <kurt@boolean.net>]

At 01:48 PM 12/2/99 +0100, Leif Johansson wrote:
>
>
>> We only provide a mechanism that allows servers to advertise
>> the existance of features.  We do not provide mechanism to
>> describe how, when, and by whom they may be used.
>> 
>
>Now you are talking policy again :-). This, I believe has been
>made clear by several threads on this list, is a difficult 
>problem -- recall the recent C-api policy discussion for instance.
>Do you claim that you can find a way to map all of that to URIs and
>more important: should you do it even if you could?

No and no.

I (a user) wants a way of express my apriori knowledge to the
client (say an off the shelf general purpose (LDAP-aware) web
browser) so that it can perform a LDAP search on my behalf.
The LDAP search operation requires binding to the directory
using a standard-track SASL mechanism and allows us of a
standard track extended operations prior to performing the
search.

ldap:://server/dc=openldap,dc=org????!tls,!sasl=external

I believe it much easier to provide a mechanism(s) for users
to impart their apriori knowledge to clients then it is define
a standard, general mechanism that servers may use to describe
to clients when, how, what, and whom may perform a simple, single,
secure search (let alone describing policy affecting other
sets of operations).

I also believe we need experience on methods for expressing
the user apriori knowledge to the client before we can hope
to be able to design and deploy mechanism which eliminate
the need for user's to have apriori knowledge. 

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>