[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-zeilenga-ldap-assert-05 notes

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 23 Feb 2005 22:31:36 -0800
Cc: ldapext@ietf.org
In-reply-to: <hbf.20050223mdue@bombur.uio.no>
References: <hbf.20050223mdue@bombur.uio.no>

At 09:35 AM 2/23/2005, Hallvard B Furuseth wrote:
>draft-zeilenga-ldap-assert-05.txt says:
>
>> 3.  The Assertion Control
>>
>>   The control is appropriate for both LDAP interrogation and update
>>   operations [Protocol] including Add, Compare, Delete, Modify, ModifyDN
>>   (rename), and Search.  It is inappropriate for Abandon, Bind nor
>>   Unbind, and Start TLS operations.
>
>I expect "including..." means it's also appropriate for the Password
>Modify Extended Operation (RFC 3062)?

I consider Password Modify Extended Operation to be an "other"
operation, as in:
  Other documents may specify how this control applies to other LDAP
  operations.  In doing so, they must state how the target entry is
  determined.

I'll change the text to precisely state which requests the
control is appropriate for.

>Is Add intended to be part of the above list? 

I intend to remove Add from the list. 

>Kurt stated in thread
>'Assert I-D.', 22-23. jul 2003, that he would change the control to not
>be applicable to Add - since the entry is not yet present to be compared
>with.  Though the thread can be read as keeping Add anyway and compare
>with the entry to be added.
>
>> 4.  Security Considerations
>>
>>   As with any general assertion mechanism, the mechanism can be used to
>>   determine directory content.  Hence, this mechanism SHOULD be subject
>>   to appropriate access controls.
>
>I suggest to add something like:
>
>    ... preferably the same access controls as search filters.

Is there a search reason behind this preference?  I rather
not state a preference as part of a security considerations
unless there is a good security related reason for that
preference.

>The implementor might find the same access controls as for Compare
>natural, but the server admin might e.g. not want substring matching to
>be possible - and he could have written the Compare ACLs knowing that
>Compare can't do substring matching.  Or one might mistakenly use the
>same ACLs as for the "basic" operation being performed, e.g. Modify.

It seems to be your statements depend greatly on what the
access control model is...  I can certainly envision models
where that would not be a mistake.

Kurt 


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: [ldapext] draft-behera-ldap-password-policy - last login time
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - last login time
Index(es):
- Chronological
- Thread