RE: AuthzIDs or DNs, but not both

["Curtin, William" <curtinw@ftm.disa.mil>]

See embedded comments.

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Monday, November 15, 1999 2:01 PM
> To: Curtin, William
> Cc: ietf-ldapext@netscape.com
> Subject: RE: AuthzIDs or DNs, but not both
> 
> 
> At 01:21 PM 11/15/99 -0500, you wrote:
> >So then should the draft contain an additional paragraph to 
> assure this
> >mapping?
> 
> I suggest it have a separate draft to define a one-to-one mapping
> between arbitrary authentication identities and their DN 
> representation.
> 
> Basically, I propose that when a user enters "kdz" as an authorization
> string that the client uses the DN "authzid=kdz"
 
[do you mean RDN authzid=kdz? That is, are you suggesting that all users
 which are being mapped from uauthzid to a DN has to reside in 
 "authzid=kdz, dc=foobar, dc=com"?  If so, I don't see the benefit of
mapping to this
 form of DN over any other DN. Why couldn't I map to, for instance, to an
Active Directory
 form of DN - "cn=kdz, cn=users, dc=foobar, dc=com"? ]
 
> to bind as user
> "kdz".   This can be used with all forms of bind, but more 
> importantly,
> it can be used where ever a DN is allowed.  It provides the desired
> capability of allowing users to provide arbitrary string as an
> authorization identity without introducing another on the wire
> representation of identities.
> 
> I, then, suggest we amend all specifications require use of authzid
> to instead use DNs and make note that these DNs may represent
> arbitrary authentication identities per the one-to-one mapping
> document.
> 
> Kurt
>