Date: 2004-12-05T14:00:31 Editor: AlexKarasulu <[EMAIL PROTECTED]> Wiki: Apache Directory Project Wiki Page: EveGeneral URL: http://wiki.apache.org/directory/EveGeneral
no comment Change Log: ------------------------------------------------------------------------------ @@ -1,4 +1,29 @@ ##language:en -Stuff about Eve: - * Authentication: Authentication policies and usage += General Things About Eve = + +== Out-of-the-box Authentication == + +I really wanted to make Authentication something that does not get in the way if users +not needing it. Meaning if users did not have any security requirements where +they're just using Eve (especially in embedded mode) as a simple backing store using LDAP +as the namespace they should not have to authenticate. To balance enabling both types of +users (those needing and not needing auth) while minimizing first time startup configuration +overheads and authorization issues we needed a policy for dealing with user passwords in +general and the system user password. First let's list some of our requirements and some +notes about the problems. + +Requirements for Setting Admin (super-user) Password: + * minimize setup overhead in general + * config-less operation even without providing a password should be possible for those + that just want to use eve as an LDAP backing store; in this case they effectively are + the super user and need to get around authorization issues to have free reign + +Notes: + * According to LDAP JNDI provider implementation guidelines, "if this property + [java.naming.security.authentication] is not set then its default value is none, unless + the java.naming.security.credentials property is set, in which case the default value is + simple." So this means config-less operation presumes anonymous binds and we must conform + to these guidelines. + * Most LDAP browsers do not allow simple binds using null or empty passwds. This makes + using a null password a poor choice for the super user.
