[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Fwd: KerberosId/UserID/access-id
How much does this differ from the way the BNF has been reworked? I guess we need to change kerberosID to u, but is the current format workable?
Jim
>>> Ellen Stokes <stokes@austin.ibm.com> 4/12/00 10:07:21 PM >>>
Here's Kurt's proposal on aligning KerberosID in access control model spec
with the authmeth spec.
So have at it for discussion on the mailing list - this will be an agenda item
for the April 18 conference call.
By the way, I'm sending this to the new mailing list AND cc: to the temp
mailing list.
So please subscribe to the mailing list (per one of Kurt's previous notes
to you this
week) if you haven't already done so.
thanks.
Ellen
>X-Sender: guru@infidel.boolean.net
>X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
>Date: Wed, 29 Mar 2000 21:29:18 +0900
>To: stokes@austin.ibm.com
>From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
>Subject: KerberosId/UserID/access-id (two)
>Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
>
>Fixed Typos...
>
>Requirement as discussed:
>The LDAP ACI model must be capable of supporting all authorization
>identify forms prescribed by the the protocol (and detailed by
>the "Authentication Methods for LDAP" (authmeth) draft). This
>draft has been approved for publication as a Proposed Standard.
>
>New Issue:
>AuthMeth draft allows for addition of authorization forms and
>these need to be supported by ACIs. It should not be necessary
>to update both the AuthMeth spec and the ACI spec to add authorization
>forms to LDAP. Such additions should only require extension as
>described by authmeth.
>
>Solution:
>
>Rework the LDAPaci BNF such that the access-id is an AuthMethod
>AuthzId.
>
>For example:
>
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> #access-id#u:jsmith@REALM
>
>Then, if and when AuthMeth is extended to support some new
>form "guid:", the following would be allowed withOUT requiring
>a separate update of the ldapACI specification.
>
>ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
> #access-id#guid:0xbad1D
>
>
>I would also suggest "access-id" be changed to "authzID".
>
>If you would like to discuss this issue, I should be available
>tomorrow afternoon (prior to LDUP session).
>
> Kurt
>
>
>