[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: createSaslClient by the Java LDAP API

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: createSaslClient by the Java LDAP API
From: Rob Weltman <robw@coscend.com>
Date: Fri, 06 Apr 2001 10:19:47 -0700
Cc: ietf-ldapext <ietf-ldapext@netscape.com>
References: <5.0.2.1.0.20010404172226.00b16ab0@127.0.0.1> <5.0.2.1.0.20010404203024.00a8fb30@127.0.0.1> <5.0.2.1.0.20010405081413.01f757f0@127.0.0.1> <5.0.2.1.0.20010405221358.01a4bec0@127.0.0.1>

"Kurt D. Zeilenga" wrote:
> 
> Second, in the present of a client asserted authorization
> identity, the server may (in addition to the above) rely on
> this entry to support evaluation of the proxy authorization
> policy.

  What if the entry (pointed to by the DN supplied on bind) implies wide-ranging access rights that should not be granted based on the authzid or the authentication ID? When you say "may", do you mean "MAY" as in RFC 2119? That seems to me to lend itself to an indeterminate and insecure server implementation. Shouldn't there be mandatory behavior in evaluating the authorization policy?

Rob

Follow-Ups:
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: createSaslClient by the Java LDAP API
Next by Date: Re: createSaslClient by the Java LDAP API
Index(es):
- Chronological
- Thread