[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Comments Access Control Model - authentication levels 2

To: ietf-ldapext@netscape.com
Subject: Re: Comments Access Control Model - authentication levels 2
From: Sanjay Panwar <sanjay.panwar@openwave.com>
Date: Fri, 30 Mar 2001 15:43:38 -0800
Organization: Openwave
References: <200103291942.OAA09782@qsun.mt.att.com>

I am also not very clear on the differences and meaning of following
subject options. My list is little longer that Richard's.

1. null or no authnLevel  vs  "any"  vs  "none"  vs  "anonymous"
    (same as the points made in the attached mail)

2. null or no subject  vs  "public:"  vs  anonymous
    Is it legal to define a ACI without a subject ? How should it be
interpreted. How is public different from anonymous or no subject ?

3. "group:"  vs  "role:"
    group is defined as the distinguished name of a groupOfNames or
groupOfUniqueNames entry. role is not defined that clearly. Is it the
distinguished name of a organizationalRole entry ?

- Panwar


Richard V Huber wrote:

> The more I read Section 4.2.3, the less I understand the difference
> between "any" as an authnLevel and an omitted authnLevel.
>
> There are three statements in 4.2.3 that I am trying to figure out.
> I'm rephrasing them here:
>
>  1. No authnLevel -> no specific type of authentication is required
>
>  2. LDAP simple auth with no password is 'anonymous'
>
>  3. 'any' -> any mechanism except "no authentication"
>
> So here are my questions:
>
>  A. Is an omitted authnLevel equivalent to 'any'?
>
>  B. Is an omitted authnLevel equivalent to the union of 'any' and
>     'anonymous'?  [This would be a fairly dangerous situation.]
>
>  C. Does an omitted authnLevel mean "anyone bound with a non-null user
>     ID"?  [This seems just about as dangerous as B.]
>
>  D. Is there a difference between a BIND with a non-null user ID and
>     BIND with a null user ID if the password is null (anonymous and
>     more anonymous)?  [This is the anonymous vs. unauthenticated issue
>     discussed at the LDAPBIS session last week.]
>
>  E. If so, does 'anonymous' mean "any or no user ID as long as the
>     password is null"?
>
> I think I lean towards YES on A and E, NO on B and C.  I could live
> with either answer to D, but if it is YES, we need an explicit
> authnLevel to recognize 'unauthenticated'; it should not be included
> when the ACI omits the authnLevel.
>
> Rick Huber

References:
- Comments Access Control Model - authentication levels 2
  - From: rvh@qsun.mt.att.com (Richard V Huber)

Prev by Date: Comments on Access Control Model - GetEffectiveRights
Next by Date: LDAP Enhancement Style Guide
Index(es):
- Chronological
- Thread