[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACM permission

To: "'Skovgaard, Erik'" <Erik.Skovgaard@icn.siemens.com>, "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>
Subject: RE: ACM permission
From: "Volpers, Helmut" <helmut.volpers@icn.siemens.de>
Date: Thu, 12 Jul 2001 11:13:15 +0200
Cc: "'Mark Davidson'" <markd@pwd.hp.com>, ietf-ldapext@netscape.com

Hi Erik,

It's not the normal way to use a compare operation on the password for
authentication.
Why not use the bind and you have no problems with AccessControl.

I am not sure whether you want to make a chained bind, but if you do it it
is
a chained bind and not a compare operation on the userPassword.

Helmut 

> -----Original Message-----
> From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com]
> Sent: Dienstag, 10. Juli 2001 23:00
> To: 'Kurt D. Zeilenga'
> Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> Subject: RE: ACM permission
> 
> 
> Kurt,
> 
> I have applications that use the compare operation on the 
> userPassword for
> authentication.
> 
> BTW, a BIND may result in a compare operation if you use 
> chaining on the
> back end of the server.  Has anyone considered that?
> 
> Cheers,                  ....Erik.
> 
> Erik Skovgaard
> Siemens Meta-Directory Solutions
> Phone: +1 604-204-0750
> Fax:   +1 604-204-0760
> 
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Monday, July 09, 2001 13:17
> To: Skovgaard, Erik
> Cc: 'Mark Davidson'; ietf-ldapext@netscape.com
> Subject: RE: ACM permission
> 
> 
> At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
> >That would be a problem.  A lot of us still use the userPassword for
> >authentication.  It must be possible to protect the password 
> (including
> >performing filter matching) yet be able to use the compare 
> operation on the
> >attribute.
> 
> I'm not sure how permissions for compare relate to authentication.
> The only operation which performs LDAP authentication is the
> bind and its not controlled, per the I-D, by any permissions.
> 
> This said, I support having separate "assert" (compare/search
> filter) permissions from read permissions as it is often useful
> to allow one to assert a value but not allow them to read all
> values.  The example (which I believe someone else gave) is
> that there may a group where one is allowed to assert that
> an entity is a member but not allowed to see the member list.
> 
> Kurt
> 
>

Prev by Date: RE: ACM permission
Next by Date: RE: ACM permission
Index(es):
- Chronological
- Thread