[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: AuthzIDs or DNs, but not both
Perhaps the use of the word INTERNAL was a poor choice. By internal I meant
that the server would map the uAuthzId used for authentication into the
distinguished name associated with the uAuthzId to support operational
attributes, access control, etc. Is there a better way to phrase it?
bill
> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Monday, November 15, 1999 1:24 PM
> To: Curtin, William
> Cc: 'Harald Tveit Alvestrand'; JHodges@oblix.com; IETF LDAP Extensions
> WG; RL Bob Morgan
> Subject: Re: AuthzIDs or DNs, but not both
>
>
> "Curtin, William" wrote:
> >
> > So then should the draft contain an additional paragraph to
> assure this
> > mapping?
> >
> > For example change section 11 to:
> >
> > <snip>
> >
> > The uAuthzId choice allows for compatibility with client
> applications
> > which wish to authenticate to a local directory but do
> not know their
> > own Distinguished Name or have a directory entry. The
> format of the
> > string is defined as only a sequence of UTF-8 encoded ISO 10646
> > characters, and further interpretation is subject to
> prior agreement
> > between the client and server.
> >
> > For example, the userid could identify a user of a
> specific directory
> > service, or be a login name or the local-part of an RFC 822 email
> > address. In general a uAuthzId MUST NOT be assumed to be
> globally unique.
> >
> > <new>
> > All servers which support the uAuthzId choice MUST be
> capable of mapping
> > the uAuthzId
> > to an associated distinguished name for internal use.
> > <end new>
>
> But the use in question is not internal. We need to map the uAuthzID
> to an associated distingusied name for EXTERNAL use. That is, for
> use with directory attributes such as creatorsname, modifiersname,
> member, owner, access control subjects, etc..
>
> Kurt
>