Skip to Content.
Sympa Menu

shibboleth-dev - RE: OS X info, webDAV use case

Subject: Shibboleth Developers

List archive

RE: OS X info, webDAV use case


Chronological Thread 
  • From: "Wilcox, Mark" <>
  • To: "Scott Cantor" <>, "Walter Hoehn" <>, "David L. Wasley" <>
  • Cc: "Tom Barton" <>, <>
  • Subject: RE: OS X info, webDAV use case
  • Date: Thu, 25 Sep 2003 15:48:49 -0400
Title: RE: OS X info, webDAV use case
Actually I would argue that comparing Shib to LDAP is that Shib solves a whole heck of a lot of open LDAP implementation details.
 
Yes LDAP (and X.500) should have/could have solved lots of similar issues.
 
However, nobody has widely deployed them enough to make it workable.
 
Two major ones come to mind -- referrals and querying an external directory service.
 
Referrals -- the notion that a branch in the LDAP server (DIT) returns a pointer to another LDAP tree, usually on a different server. LDAP servers generally can return them fine, but all of the popular clients, well, they just choke on them. Or don't acurately follow them.
 
Querying an external server -- This should be possible but so few LDAP servers exist with actual directory information (as opposed to just enough to perform local authentication) that is publicly accessible  -- that model breaks down. Yes, they do exist in certain locales, but they don't exist in enough numbers to have any meaning.
 
Finally Shib does have the capability of doing things that LDAP will not do -- namely provide a policy service (aka authorization assertions) and be able to 'possibly' secure each assertion/attribute(s) seperately via a PKI setup that in the end Shib wins on the authentication & authorization front.
 
Ideally LDAP would go back to do what it was supposed to do - provide a generic white pages protocol and let Kerberos & Shib  be the authentication & authorization services.
 
Mark
 
-----Original Message-----
From: Scott Cantor [mailto:]
Sent: Thu 9/25/2003 3:32 PM
To: 'Walter Hoehn'; 'David L. Wasley'
Cc: 'Tom Barton'; Wilcox, Mark;
Subject: RE: OS X info, webDAV use case

> I'm still not sure I get this.  I'm not necessarily arguing against you,
> just trying to clarify...  Most LDAP servers have access control.  We
> have access control.  Which is better is really just an implementation
> detail, since neither LDAP nor Shib specifies the access control
> mechanisms.  Are you saying "We should use shib for this because we own
> the code and can make it do cool stuff"?

Right, so, if it helps, when I talked about what we were doing to some X.500
people in Australia, they were underwhelmed because, gee, you can do all
these things if you just have a directory that's a good enough
implementation. And so finding one is just a detail left to the user...

-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page