[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Access Control for LDAP

To: "'Ed Reed'" <eer@OnCallDBA.COM>, <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Subject: RE: Basic Access Control for LDAP
From: "Steven Legg" <steven.legg@adacel.com.au>
Date: Thu, 28 Feb 2002 17:16:38 +1100
Importance: Normal
In-reply-to: <sc7cc89d.036@smtp.oncalldba.com>

Ed,

Ed Reed wrote:
> One question from reading the drafts (for now) -
> 
> What constitutes a "user" for the purpose of ACI UserClasses 
> value allUsers?

In the first instance it is anyone/anything who manages to bind in,
regardless of their authorization identity, but it is qualified by
the AuthenticationLevel and whether a permission is being granted
or denied.

For a permission being granted:

1) If the AuthenticationLevel is "none" then allUsers includes everyone,
regardless of authorization identity, anonymous included.

2) If the AuthenticationLevel is "simple" then allUsers includes all
users who have authenticated with at least a user name and password.
Anonymous users and users who have not been authenticated are excluded.

3) If the AuthenticationLevel is "strong" then allUsers includes all
users who have authenticated with strong credentials, e.g digital
signatures. Anonymous users, unauthenticated users and password
authenticated users are excluded.

For a permission being denied, allUsers includes everyone,
regardless of authorization identity and authentication level.

Regards,
Steven

Prev by Date: Save Up To 80% On Inkjet Cartridges
Next by Date: Email marketing! Free!
Index(es):
- Chronological
- Thread