[Date Prev][Date Next] [Chronological] [Thread] [Top]

Comments Access Control Model - authentication levels 2

To: ietf-ldapext@netscape.com
Subject: Comments Access Control Model - authentication levels 2
From: rvh@qsun.mt.att.com (Richard V Huber)
Date: Thu, 29 Mar 2001 14:42:06 -0500

The more I read Section 4.2.3, the less I understand the difference
between "any" as an authnLevel and an omitted authnLevel.

There are three statements in 4.2.3 that I am trying to figure out.
I'm rephrasing them here:

 1. No authnLevel -> no specific type of authentication is required

 2. LDAP simple auth with no password is 'anonymous'

 3. 'any' -> any mechanism except "no authentication"

So here are my questions:

 A. Is an omitted authnLevel equivalent to 'any'?

 B. Is an omitted authnLevel equivalent to the union of 'any' and
    'anonymous'?  [This would be a fairly dangerous situation.]

 C. Does an omitted authnLevel mean "anyone bound with a non-null user
    ID"?  [This seems just about as dangerous as B.]

 D. Is there a difference between a BIND with a non-null user ID and
    BIND with a null user ID if the password is null (anonymous and
    more anonymous)?  [This is the anonymous vs. unauthenticated issue
    discussed at the LDAPBIS session last week.]

 E. If so, does 'anonymous' mean "any or no user ID as long as the
    password is null"?

I think I lean towards YES on A and E, NO on B and C.  I could live
with either answer to D, but if it is YES, we need an explicit
authnLevel to recognize 'unauthenticated'; it should not be included
when the ACI omits the authnLevel.

Rick Huber

Follow-Ups:
- Re: Comments Access Control Model - authentication levels 2
  - From: Sanjay Panwar <sanjay.panwar@openwave.com>

Prev by Date: Your Merchant Account
Next by Date: RE: LDAP/X.500 location proposal (was: DN -> DNS: X.500 group's p roposal for using DNS to locate LDAP servers)
Index(es):
- Chronological
- Thread