[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AuthzIDs or DNs, but not both
"Kurt D. Zeilenga" wrote:
>
> At 01:47 PM 11/15/99 -0500, Curtin, William wrote:
> >Perhaps the use of the word INTERNAL was a poor choice. By internal I meant
> >that the server would map the uAuthzId used for authentication into the
> >distinguished name associated with the uAuthzId to support operational
> >attributes, access control, etc. Is there a better way to phrase it?
>
> The key issue I am raising is whether or not it makes sense to have more
> than one protocol representation of authorization principals. I believe
> only one is necessary and that a second is an unnecessary complication.
>
> The fact that a server can map the uAuthzId to a DN implies
> that the client can map a uAuthzId to a DN. Hence, there is
> no need for the second protocol representation as the client can do
> this mapping. We just need to describe how the mapping should be
> done to make it generally useful.
I don't think we should mandate a single algorithm to map a given kind
of authorization ID to a DN. Why not? Because the right solution is
likely to be site / deployment specific.
--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?