[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous & none in the ACM (Was: Comments Access Control Model - authentication levels 2)

To: ietf-ldapext@netscape.com
Subject: Re: anonymous & none in the ACM (Was: Comments Access Control Model - authentication levels 2)
From: robert byrne <robert.byrne@Sun.COM>
Date: Thu, 05 Apr 2001 17:31:09 +0200
Cc: ietf-ldapext@netscape.com
Organization: Sun Microsystems
References: <200103291942.OAA09782@qsun.mt.att.com> <3AC51A2A.D54CE884@openwave.com>

Just to try to close this one item, is there anyone who thinks we need
to differentiate in the ACM between, in the terms of Ellen's very last
BNF, "anonymous" and "none" ?

>    authnLevel = "none" /            ; from X.500:  name but no password, 
> same as LDAPBIS unauthenticated
>                        "anonymous" /   ; from LDAP:  no name and no password

Rick says he doesn't care, Kurt says X.500 says they are the same thing
(from an access control point of view).
They seem pretty similar to me.

If we do collapse them both then I would suggest "unauthenticated" as a
good name for this kind of authentication level--looks like that's
consistent with ldapbis teminology.

Rob.

Sanjay Panwar wrote:
> 
> I am also not very clear on the differences and meaning of following
> subject options. My list is little longer that Richard's.
> 
> 1. null or no authnLevel  vs  "any"  vs  "none"  vs  "anonymous"
>     (same as the points made in the attached mail)
> 
> 2. null or no subject  vs  "public:"  vs  anonymous
>     Is it legal to define a ACI without a subject ? How should it be
> interpreted. How is public different from anonymous or no subject ?
> 
> 3. "group:"  vs  "role:"
>     group is defined as the distinguished name of a groupOfNames or
> groupOfUniqueNames entry. role is not defined that clearly. Is it the
> distinguished name of a organizationalRole entry ?
> 
> - Panwar
> 
> Richard V Huber wrote:
> 
> > The more I read Section 4.2.3, the less I understand the difference
> > between "any" as an authnLevel and an omitted authnLevel.
> >
> > There are three statements in 4.2.3 that I am trying to figure out.
> > I'm rephrasing them here:
> >
> >  1. No authnLevel -> no specific type of authentication is required
> >
> >  2. LDAP simple auth with no password is 'anonymous'
> >
> >  3. 'any' -> any mechanism except "no authentication"
> >
> > So here are my questions:
> >
> >  A. Is an omitted authnLevel equivalent to 'any'?
> >
> >  B. Is an omitted authnLevel equivalent to the union of 'any' and
> >     'anonymous'?  [This would be a fairly dangerous situation.]
> >
> >  C. Does an omitted authnLevel mean "anyone bound with a non-null user
> >     ID"?  [This seems just about as dangerous as B.]
> >
> >  D. Is there a difference between a BIND with a non-null user ID and
> >     BIND with a null user ID if the password is null (anonymous and
> >     more anonymous)?  [This is the anonymous vs. unauthenticated issue
> >     discussed at the LDAPBIS session last week.]
> >
> >  E. If so, does 'anonymous' mean "any or no user ID as long as the
> >     password is null"?
> >
> > I think I lean towards YES on A and E, NO on B and C.  I could live
> > with either answer to D, but if it is YES, we need an explicit
> > authnLevel to recognize 'unauthenticated'; it should not be included
> > when the ACI omits the authnLevel.
> >
> > Rick Huber

Follow-Ups:
- Re: anonymous & none in the ACM (Was: Comments Access Control Model - authentication levels 2)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: createSaslClient by the Java LDAP API
Next by Date: Re: IP Address in the ACM (Was: Comments on AccessControlModel - BNF)
Index(es):
- Chronological
- Thread