[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



So then should the draft contain an additional paragraph to assure this
mapping?

For example change section 11 to:

<snip>

   The uAuthzId choice allows for compatibility with client applications 
   which wish to authenticate to a local directory but do not know their
   own Distinguished Name or have a directory entry.  The format of the 
   string is defined as only a sequence of UTF-8 encoded ISO 10646 
   characters, and further interpretation is subject to prior agreement 
   between the client and server.
  
   For example, the userid could identify a user of a specific directory 
   service, or be a login name or the local-part of an RFC 822 email 
   address. In general a uAuthzId MUST NOT be assumed to be globally unique.

<new>
   All servers which support the uAuthzId choice MUST be capable of mapping
the uAuthzId
   to an associated distinguished name for internal use.
<end new>

   Additional authorization identity schemes MAY be defined in future
   versions of this document.



							bill

> -----Original Message-----
> From: Harald Tveit Alvestrand [mailto:Harald@Alvestrand.no]
> Sent: Monday, November 15, 1999 4:47 PM
> To: Kurt D. Zeilenga; JHodges@oblix.com
> Cc: IETF LDAP Extensions WG; RL Bob Morgan
> Subject: Re: AuthzIDs or DNs, but not both
> 
> 
> At 11:30 14.11.99 -0800, Kurt D. Zeilenga wrote:
> >It appears to me that the authzIds-are-not-necessarily-DNs
> >notion will cause a ripple of change through the protocol and
> >information model.  The introduction of authzid
> >representation [AuthMeth] will lead to creatorsAuthzid,
> >modifiersAuthzid, memberAuthzid, and many other use of DNs
> >to be replaced with something that can contain both an
> >authzId.  I believe the addition of authzIds will
> >unnecessarily complicate the protocol and information model.
> 
> When we discussed this in Washington 2 years ago, I think we had an 
> implicit assumption that the authzId in the SASL exchange, 
> which may, but 
> need not, be a DN, would be *mapped to* a DN if required for 
> internal purposes.
> The purpose would be that the DN need not be maintained 
> anywhere seen by 
> the user.
> 
> I don't remember an argument that the idea "an identity is a 
> DN" should be 
> abandoned.
> In other words, I agree with Kurt.
> 
>                      Harald
> 
> --
> Harald Tveit Alvestrand, Maxware, Norway
> Harald.Alvestrand@maxware.no
>