[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



Perhaps the use of the word INTERNAL was a poor choice. By internal I meant
that the server would map the uAuthzId used for authentication into the
distinguished name associated with the uAuthzId to support operational
attributes, access control, etc. Is there a better way to phrase it?

							bill

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Monday, November 15, 1999 1:24 PM
> To: Curtin, William
> Cc: 'Harald Tveit Alvestrand'; JHodges@oblix.com; IETF LDAP Extensions
> WG; RL Bob Morgan
> Subject: Re: AuthzIDs or DNs, but not both
> 
> 
> "Curtin, William" wrote:
> > 
> > So then should the draft contain an additional paragraph to 
> assure this
> > mapping?
> > 
> > For example change section 11 to:
> > 
> > <snip>
> > 
> >    The uAuthzId choice allows for compatibility with client 
> applications
> >    which wish to authenticate to a local directory but do 
> not know their
> >    own Distinguished Name or have a directory entry.  The 
> format of the
> >    string is defined as only a sequence of UTF-8 encoded ISO 10646
> >    characters, and further interpretation is subject to 
> prior agreement
> >    between the client and server.
> > 
> >    For example, the userid could identify a user of a 
> specific directory
> >    service, or be a login name or the local-part of an RFC 822 email
> >    address. In general a uAuthzId MUST NOT be assumed to be 
> globally unique.
> > 
> > <new>
> >    All servers which support the uAuthzId choice MUST be 
> capable of mapping
> > the uAuthzId
> >    to an associated distinguished name for internal use.
> > <end new>
> 
> But the use in question is not internal.  We need to map the uAuthzID
> to an associated distingusied name for EXTERNAL use.  That is, for
> use with directory attributes such as creatorsname, modifiersname,
> member, owner, access control subjects, etc..
> 
> Kurt
>