Re: [higgins-dev] LDAP Servers used with JNDI CP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] LDAP Servers used with JNDI CP

From: "Jim Sermersheim" <jimse@xxxxxxxxxx>
Date: Wed, 30 Jan 2008 17:25:44 -0700
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

I'm one of the people who failed to standardize on an access control model for LDAP. A number of us (Ellen Stokes, Ed Reed, Bob Blakely, Steven Legg, Kurt Z. etc.) worked on this for a span of about three years, and we never went anywhere but in circles. The circles weren't even concentric, and I'm not sure they even quite met at the ends. Steven Legg finally adapted the X.500 access control admin model to LDAP. The problem is, like replication, everyone has already done it in their own standard way, and it's hard to make the old, hard-coded stuff work along side new standardized stuff.

Even if people felt like it was a good idea, I'm not sure how many vendors are willing to spent the $ to rev. My feeling is that we *have* to implement authZ at the IdAS or higher layer because there will always be some CP's backing store that doesn't authZ the way we want.

Jim

>>> Phil Hunt <phil.hunt@xxxxxxxxxx> 01/30/08 3:32 PM >>>
Having proxied just about every LDAP server on the planet, support is
very inconsistent indeed. Even if an LDAP server supports ProxyDN,
it's application to access control may vary as well.  Part of the
problem with LDAP is that access control itself was never standardized.

Somehow there needs to be a do-over on this one.  Maybe privacy is
enough of an impetus to revise or replace ProxyDN and rejuvenate
interest in it. My thought is we need a control to take on broader
transaction metadata - only part of which could be application and
subject credentials.

The second requirement is to propose XACML (or a profile of XACML
like AAPML) be optionally supported in LDAP.  This is the policy
engine that would consume the metadata mentioned above and brings
some level of consistency of expectation for what happens from the
perspective of policy.

Phil Hunt
Oracle

On 30-Jan-08, at 1:05 PM, Tom Doman wrote:

> All,
>
> Which LDAP Servers have you used behind the JNDI Context Provider?
> Does it support RFC 4370, the proxy authorization control?
>
> Me:
>
> Novell eDirectory, no.
> Test LDAP Utility, no.
>
> Thanks,
> Tom
>
>
> _______________________________________________
> higgins-dev mailing list
> higgins-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/higgins-dev

_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev

Follow-Ups:
- Re: [higgins-dev] LDAP Servers used with JNDI CP
  - From: Phil Hunt

References:
- [higgins-dev] LDAP Servers used with JNDI CP
  - From: Tom Doman
- Re: [higgins-dev] LDAP Servers used with JNDI CP
  - From: Phil Hunt

Prev by Date: RE: [higgins-dev] Data Model Discussions
Next by Date: Re: [higgins-dev] LDAP Servers used with JNDI CP
Previous by thread: Re: [higgins-dev] LDAP Servers used with JNDI CP
Next by thread: Re: [higgins-dev] LDAP Servers used with JNDI CP
Index(es):
- Date
- Thread

Breadcrumbs