X-Sender: guru@infidel.boolean.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 29 Mar 2000 21:29:18 +0900
To: stokes@austin.ibm.com
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: KerberosId/UserID/access-id (two)
Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
Fixed Typos...
Requirement as discussed:
The LDAP ACI model must be capable of supporting all authorization
identify forms prescribed by the the protocol (and detailed by
the "Authentication Methods for LDAP" (authmeth) draft). This
draft has been approved for publication as a Proposed Standard.
New Issue:
AuthMeth draft allows for addition of authorization forms and
these need to be supported by ACIs. It should not be necessary
to update both the AuthMeth spec and the ACI spec to add authorization
forms to LDAP. Such additions should only require extension as
described by authmeth.
Solution:
Rework the LDAPaci BNF such that the access-id is an AuthMethod
AuthzId.
For example:
ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
#access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
#access-id#u:jsmith@REALM
Then, if and when AuthMeth is extended to support some new
form "guid:", the following would be allowed withOUT requiring
a separate update of the ldapACI specification.
ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
#access-id#guid:0xbad1D
I would also suggest "access-id" be changed to "authzID".
If you would like to discuss this issue, I should be available
tomorrow afternoon (prior to LDUP session).
Kurt