Date: 2004-12-05T14:00:31
Editor: AlexKarasulu <akarasulu@apache.org>
Wiki: Apache Directory Project Wiki
Page: EveGeneral
URL: http://wiki.apache.org/directory/EveGeneral
no comment
Change Log:
------------------------------------------------------------------------------
@@ -1,4 +1,29 @@
##language:en
-Stuff about Eve:
- * Authentication: Authentication policies and usage
+= General Things About Eve =
+
+== Out-of-the-box Authentication ==
+
+I really wanted to make Authentication something that does not get in the way if users
+not needing it. Meaning if users did not have any security requirements where
+they're just using Eve (especially in embedded mode) as a simple backing store using LDAP
+as the namespace they should not have to authenticate. To balance enabling both types of
+users (those needing and not needing auth) while minimizing first time startup configuration
+overheads and authorization issues we needed a policy for dealing with user passwords in
+general and the system user password. First let's list some of our requirements and some
+notes about the problems.
+
+Requirements for Setting Admin (super-user) Password:
+ * minimize setup overhead in general
+ * config-less operation even without providing a password should be possible for those
+ that just want to use eve as an LDAP backing store; in this case they effectively are
+ the super user and need to get around authorization issues to have free reign
+
+Notes:
+ * According to LDAP JNDI provider implementation guidelines, "if this property
+ [java.naming.security.authentication] is not set then its default value is none, unless
+ the java.naming.security.credentials property is set, in which case the default value
is
+ simple." So this means config-less operation presumes anonymous binds and we must conform
+ to these guidelines.
+ * Most LDAP browsers do not allow simple binds using null or empty passwds. This makes
+ using a null password a poor choice for the super user.
|