[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: New draft on knowledge references in LDAP

To: Roland Hedberg <roland@catalogix.ac.se>
Subject: RE: New draft on knowledge references in LDAP
From: "Lloyd, Alan" <Alan.Lloyd@ca.com>
Date: Fri, 14 Jul 2000 01:35:10 +1000
Cc: ietf-ldapext@netscape.com

comments in line ????

-----Original Message-----
From: Roland Hedberg [mailto:roland@catalogix.ac.se]
Sent: Thursday, July 13, 2000 11:00 PM
To: Lloyd, Alan
Cc: ietf-ldapext@netscape.com
Subject: Re: New draft on knowledge references in LDAP 

Hi Alan,

> All very good - but what about systems where one has to authenticate the
> users.. and the referred to servers have to know all the users through
their
> directory entries. The ...

Admittedly, this is a problem that the draft does not even try to solve.

Alan: yet below you say this is not a problem when it is???

> Therefore for LDAP referrals to work at all in this type of system the
> knowledge of the servers must be "public" to any user of the system.
..snip..
> I think the security considerations should say...Because distributed
mutual
> authentication is not possible with LDAP servers - the referral knowledge
> must always be public.

I don't agree.

Alan: logic error warning...

I can see usages where a organization would like to keep some
references hidden from the anonymous user, but accessible for
users that are authenticated. 

alan: Therefore - the referal is not public therefore it does not exist in
this context..As said for a referal to exists it needs to be public if the
user needs to use it and if the user does use it - they will be public anon
on the referred server - However, if the user is authenticated on this
server to get a referral to anaother server, then a) he is anon on that
server or they information is replicated to that server so they can be
authenticated..And if they are replicated why have a referal - and one needs
authentication on one server to get a referal to a pulic server where one is
not authenticated - why would i do that???.

Worth noting in this case is that for some usages several users might 
be allowed to authenticate as the same entry and that therefore the 
amount of information that has to be replicated between cooperating 
servers are rather limited.

Interesting - I deal with systems targetting 300m users... we dont have this
problem or even need to think about manageing that with X.500 -

My belief - once you replicate - you create a security issue..and an
operational cost..Its best to buy the technology that removes the problems
rather than systems that create a minefield of operational problems and poor
security eh!

regards as always alan
-- Roland
------------------------------------------------
Roland Hedberg      phone     : +47 23 08 29 96
Dalsveien 53        mobile(NO): +47 90 66 44 52
No-0775 Oslo        mobile(SE): +46 70 520 420 3
Norway

Prev by Date: RE: Unique identifiers for LDAP attributes
Next by Date: RE: Revised Matched Values Draft
Index(es):
- Chronological
- Thread