[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Comments Access Control Model - authentication levels 2
The more I read Section 4.2.3, the less I understand the difference
between "any" as an authnLevel and an omitted authnLevel.
There are three statements in 4.2.3 that I am trying to figure out.
I'm rephrasing them here:
1. No authnLevel -> no specific type of authentication is required
2. LDAP simple auth with no password is 'anonymous'
3. 'any' -> any mechanism except "no authentication"
So here are my questions:
A. Is an omitted authnLevel equivalent to 'any'?
B. Is an omitted authnLevel equivalent to the union of 'any' and
'anonymous'? [This would be a fairly dangerous situation.]
C. Does an omitted authnLevel mean "anyone bound with a non-null user
ID"? [This seems just about as dangerous as B.]
D. Is there a difference between a BIND with a non-null user ID and
BIND with a null user ID if the password is null (anonymous and
more anonymous)? [This is the anonymous vs. unauthenticated issue
discussed at the LDAPBIS session last week.]
E. If so, does 'anonymous' mean "any or no user ID as long as the
password is null"?
I think I lean towards YES on A and E, NO on B and C. I could live
with either answer to D, but if it is YES, we need an explicit
authnLevel to recognize 'unauthenticated'; it should not be included
when the ACI omits the authnLevel.
Rick Huber