directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From directory-...@incubator.apache.org
Subject [Apache Directory Project Wiki] Updated: EveGeneral
Date Sun, 05 Dec 2004 22:00:31 GMT
   Date: 2004-12-05T14:00:31
   Editor: AlexKarasulu <akarasulu@apache.org>
   Wiki: Apache Directory Project Wiki
   Page: EveGeneral
   URL: http://wiki.apache.org/directory/EveGeneral

   no comment

Change Log:

------------------------------------------------------------------------------
@@ -1,4 +1,29 @@
 ##language:en
 
-Stuff about Eve:
-  * Authentication: Authentication policies and usage
+= General Things About Eve =
+
+== Out-of-the-box Authentication ==
+
+I really wanted to make Authentication something that does not get in the way if users 
+not needing it.  Meaning if users did not have any security requirements where
+they're just using Eve (especially in embedded mode) as a simple backing store using LDAP
+as the namespace they should not have to authenticate.  To balance enabling both types of

+users (those needing and not needing auth) while minimizing first time startup configuration

+overheads and authorization issues we needed a policy for dealing with user passwords in

+general and the system user password.  First let's list some of our requirements and some
+notes about the problems.
+
+Requirements for Setting Admin (super-user) Password:
+ * minimize setup overhead in general
+ * config-less operation even without providing a password should be possible for those 
+   that just want to use eve as an LDAP backing store; in this case they effectively are

+   the super user and need to get around authorization issues to have free reign
+
+Notes:
+ * According to LDAP JNDI provider implementation guidelines, "if this property 
+   [java.naming.security.authentication] is not set then its default value is none, unless

+   the java.naming.security.credentials property is set, in which case the default value
is 
+   simple."  So this means config-less operation presumes anonymous binds and we must conform
+   to these guidelines.
+ * Most LDAP browsers do not allow simple binds using null or empty passwds.  This makes

+   using a null password a poor choice for the super user.

Mime
View raw message