[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both



"Curtin, William" wrote:
> 
> So then should the draft contain an additional paragraph to assure this
> mapping?
> 
> For example change section 11 to:
> 
> <snip>
> 
>    The uAuthzId choice allows for compatibility with client applications
>    which wish to authenticate to a local directory but do not know their
>    own Distinguished Name or have a directory entry.  The format of the
>    string is defined as only a sequence of UTF-8 encoded ISO 10646
>    characters, and further interpretation is subject to prior agreement
>    between the client and server.
> 
>    For example, the userid could identify a user of a specific directory
>    service, or be a login name or the local-part of an RFC 822 email
>    address. In general a uAuthzId MUST NOT be assumed to be globally unique.
> 
> <new>
>    All servers which support the uAuthzId choice MUST be capable of mapping
> the uAuthzId
>    to an associated distinguished name for internal use.
> <end new>

But the use in question is not internal.  We need to map the uAuthzID
to an associated distingusied name for EXTERNAL use.  That is, for
use with directory attributes such as creatorsname, modifiersname,
member, owner, access control subjects, etc..

Kurt