[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AuthzIDs or DNs, but not both
"Kurt D. Zeilenga" wrote:
>
> I did not mean to imply a "mandate". I want to provide a mechanism
> to allow clients to represent uAuthzId as DNs to eliminate the need
> for a second representation. The same mechanism can obviously apply
> to other authzid scheme that might be suggested.
>
> As for you point that the site / deployment may want to map the
> authorization identifier to some other DN, I see no problem with
> allowing it do so. This can be done by the client or the server
> and doesn't require an authzid on-the-wire representation.
But if the LDAP server is the entity that knows how to perform the
mapping, you need to send the authorization id to the LDAP server,
right? I don't think it is safe to assume that clients will know how to
perform the correct mapping; this kind of policy is typically managed by
server administrators.
--
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's. Got LDAP?