Re: LDAP URL Format

Paul Hoffman (ietf-lists@proper.com)
Mon, 8 May 1995 13:24:22 -0700


Message-Id: <v02120c0cabd42cfc3197@[165.227.40.22]>
Date: Mon, 8 May 1995 13:24:22 -0700
To: "Tim Howes" <tim@umich.edu>
From: ietf-lists@proper.com (Paul Hoffman)
Subject: Re: LDAP URL Format
Cc: uri@bunyip.com

>> >5.  Security Considerations
>> >
>> >Security considerations are not discussed in this document.
>>
>> Should they be? Is there any additional security problems of forcing any
>> LDAP server to resolve URLs that aren't for that host? If not, you might
>> just point to the X.500 RFC that has the most complete security section.
>
>I don't see any problems with that, but I do think it could use some
>words about the fact that we assume no authentication (i.e., there's
>no way to pass credentials).

Sounds good. Maybe something along the lines of "The security implications
of resolving an LDAP URL are the same as those of resolving any LDAP query.
See the security section of RFC XXXXX for a description of the security
implications of responding to an LDAP query." I thing the authentication
issue should be part of the other RFC or a new RFC on LDAP security, not
this on unless authentication is different for URLs than it is for straight
queires.


--Paul Hoffman
--Proper Publishing