[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACM permission

To: ietf-ldapext@netscape.com
Subject: Re: ACM permission
From: Joachim Gjesdal <joachim.gjesdal@ecomda.de>
Date: Tue, 17 Jul 2001 10:43:15 +0200
Organization: ecomda
References: <5.1.0.14.0.20010709130810.02eeee98@127.0.0.1>

+1
Authorization and authentication are different things.
I hope not that old buggy applications will limit the level of security defined by the ldap acl model.

joachim

"Kurt D. Zeilenga" wrote:

At 09:25 AM 7/9/2001, Skovgaard, Erik wrote:
>That would be a problem. A lot of us still use the userPassword for
>authentication. It must be possible to protect the password (including
>performing filter matching) yet be able to use the compare operation on the
>attribute.
I'm not sure how permissions for compare relate to authentication.
The only operation which performs LDAP authentication is the
bind and its not controlled, per the I-D, by any permissions.
This said, I support having separate "assert" (compare/search
filter) permissions from read permissions as it is often useful
to allow one to assert a value but not allow them to read all
values. The example (which I believe someone else gave) is
that there may a group where one is allowed to assert that
an entity is a member but not allowed to see the member list.
Kurt

References:
- RE: ACM permission
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Congratulations! Order# 9546 23123
Next by Date: Your Chance (Please disregard first email, it had the wrong reply address) #7601
Index(es):
- Chronological
- Thread