[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Basic Access Control for LDAP

To: <steven.legg@adacel.com.au>, <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Subject: RE: Basic Access Control for LDAP
From: "Ed Reed" <eer@OnCallDBA.COM>
Date: Thu, 28 Feb 2002 06:33:40 -0700
Content-disposition: inline

Actually, my question is a bit more basic - 

Does allUsers include entries of any and all object classes, or only
object classes derived from "person", or only "person"s with, say,
a password attribute present, or some other definition?

Ed

=================
Ed Reed
Reed-Matthews, Inc.
+1 585 624 2402
http://www.Reed-Matthews.COM
Note:  Area code is 585

>>> "Steven Legg" <steven.legg@adacel.com.au> 02/28/02 01:16AM >>>

Ed,

Ed Reed wrote:
> One question from reading the drafts (for now) -
> 
> What constitutes a "user" for the purpose of ACI UserClasses 
> value allUsers?

In the first instance it is anyone/anything who manages to bind in,
regardless of their authorization identity, but it is qualified by
the AuthenticationLevel and whether a permission is being granted
or denied.

For a permission being granted:

1) If the AuthenticationLevel is "none" then allUsers includes everyone,
regardless of authorization identity, anonymous included.

2) If the AuthenticationLevel is "simple" then allUsers includes all
users who have authenticated with at least a user name and password.
Anonymous users and users who have not been authenticated are excluded.

3) If the AuthenticationLevel is "strong" then allUsers includes all
users who have authenticated with strong credentials, e.g digital
signatures. Anonymous users, unauthenticated users and password
authenticated users are excluded.

For a permission being denied, allUsers includes everyone,
regardless of authorization identity and authentication level.

Regards,
Steven

Prev by Date: Email marketing! Free!
Next by Date: [광고]제주2박3일관광 항공요금으로~~~~
Index(es):
- Chronological
- Thread