Helmut, It works with DirX! I am talking about authentication for an application, not the Directory itself. To clarify: If I have the entry in another DSA, but access some other DSA, a Compare operation will be propagated as a chained compare to the DSA that holds the entry I am trying to validate against. It may not be the best solution from a security perspective, but the Model allows for it. Cheers, ....Erik. Erik Skovgaard Siemens Meta-Directory Solutions Phone: +1 604-204-0750 Fax: +1 604-204-0760 -----Original Message----- From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de] Sent: Thursday, July 12, 2001 07:01 To: 'Skovgaard, Erik'; 'Kurt D. Zeilenga' Cc: 'Mark Davidson'; ietf-ldapext@netscape.com Subject: RE: ACM permission Hi Erik, > -----Original Message----- > From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com] > Sent: Donnerstag, 12. Juli 2001 15:37 > To: Volpers, Helmut; Skovgaard, Erik; 'Kurt D. Zeilenga' > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > Subject: RE: ACM permission > > > Helmut, > > I am working with at least two products that use the compare > operation to > validate a password. Agreed, that is not the best way, but > the point here > is that the Directory was certainly intended to support this > authentication > method and we should not preclude it. I agree that application use this to validate a password, but I don't think that any LDAPServer handle this as an authentication. > > I am not aware of any chained Bind operation, but my latest > X.518 document > date back to 1993. Are you telling me that the operation has > been added in > later versions? No. But if you want to use chaining for authentication (what I don't like) why not doing it with a bind instead of a compare. Helmut > > Cheers, ....Erik. > > Erik Skovgaard > Siemens Meta-Directory Solutions > Phone: +1 604-204-0750 > Fax: +1 604-204-0760 > > -----Original Message----- > From: Volpers, Helmut [mailto:helmut.volpers@icn.siemens.de] > Sent: Thursday, July 12, 2001 02:13 > To: 'Skovgaard, Erik'; 'Kurt D. Zeilenga' > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > Subject: RE: ACM permission > > > Hi Erik, > > It's not the normal way to use a compare operation on the password for > authentication. > Why not use the bind and you have no problems with AccessControl. > > I am not sure whether you want to make a chained bind, but if > you do it it > is > a chained bind and not a compare operation on the userPassword. > > Helmut > > > -----Original Message----- > > From: Skovgaard, Erik [mailto:Erik.Skovgaard@icn.siemens.com] > > Sent: Dienstag, 10. Juli 2001 23:00 > > To: 'Kurt D. Zeilenga' > > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > > Subject: RE: ACM permission > > > > > > Kurt, > > > > I have applications that use the compare operation on the > > userPassword for > > authentication. > > > > BTW, a BIND may result in a compare operation if you use > > chaining on the > > back end of the server. Has anyone considered that? > > > > Cheers, ....Erik. > > > > Erik Skovgaard > > Siemens Meta-Directory Solutions > > Phone: +1 604-204-0750 > > Fax: +1 604-204-0760 > > > > -----Original Message----- > > From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org] > > Sent: Monday, July 09, 2001 13:17 > > To: Skovgaard, Erik > > Cc: 'Mark Davidson'; ietf-ldapext@netscape.com > > Subject: RE: ACM permission > > > > > > At 09:25 AM 7/9/2001, Skovgaard, Erik wrote: > > >That would be a problem. A lot of us still use the > userPassword for > > >authentication. It must be possible to protect the password > > (including > > >performing filter matching) yet be able to use the compare > > operation on the > > >attribute. > > > > I'm not sure how permissions for compare relate to authentication. > > The only operation which performs LDAP authentication is the > > bind and its not controlled, per the I-D, by any permissions. > > > > This said, I support having separate "assert" (compare/search > > filter) permissions from read permissions as it is often useful > > to allow one to assert a value but not allow them to read all > > values. The example (which I believe someone else gave) is > > that there may a group where one is allowed to assert that > > an entity is a member but not allowed to see the member list. > > > > Kurt > > > > > >
Attachment:
Skovgaard, Erik.vcf
Description: Binary data