[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: LDAPv3 Replication Access Control Design Team Report
Kurt,
My opinions below.
Regards,
Tim Hahn
Internet: hahnt@xxxxxxxxxx
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565 tie-line: 8/687.1565
fax: 919.224.2540
"Kurt D.
Zeilenga" To: <capple@xxxxxxxxxxxxxxxxxx>
<Kurt@xxxxxxxxxxx cc: <ietf-ldup@xxxxxxx>
g> Subject: RE: LDAPv3 Replication Access Control Design Team Report
Sent by:
owner-ietf-ldup@m
ail.imc.org
09/10/2002 08:42
AM
Let's cut to the key question:
Does LDAP replication REQUIRE a standard LDAP ACM?
(REQUIRE here in the RFC 2119 sense).
TJH> I believe that LDAP replication MUST ensure that the security
TJH> (i.e. authorization to access - add/modify/search/delete)
TJH> is NOT compromised by the LDAP replication mechanism defined.
TJH>
TJH> Thus, I believe that LDAP replication REQUIRES that access
TJH> control issues be "attended to" (in the RFC 2119 sense).
TJH>
TJH> But I DO NOT feel that LDAP replication needs define a specific
TJH> Access Control Model (ACM). LDAP replication need only ensure
TJH> that SOME ACM can be applied across the servers involved in the
TJH> data replicated amongst them and that LDAP replication doesn't
TJH> "mess that up".
If the consensus is yes, then we should determine how this
requirement is going to be fulfilled. (I note that the
proposed plan doesn't produce a standard LDAP ACM.)
If the consensus is no, then we need not determine how an
LDAP ACM will or will not be produced. It simply can remain
out of scope.
TJH> Unfortunately, I don't believe the answer is as "binary"
TJH> as this. LDAP replication REQUIRES that things be done
TJH> "securely" but it does NOT REQUIRE a specific ACM.
I see little point is discussing the details of the plan
until we've actually agreed upon requirements...
Kurt