[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both



"Kurt D. Zeilenga" wrote:
> 
> I did not mean to imply a "mandate".  I want to provide a mechanism
> to allow clients to represent uAuthzId as DNs to eliminate the need
> for a second representation.  The same mechanism can obviously apply
> to other authzid scheme that might be suggested.
> 
> As for you point that the site / deployment may want to map the
> authorization identifier to some other DN, I see no problem with
> allowing it do so.  This can be done by the client or the server
> and doesn't require an authzid on-the-wire representation.

But if the LDAP server is the entity that knows how to perform the
mapping, you need to send the authorization id to the LDAP server,
right?  I don't think it is safe to assume that clients will know how to
perform the correct mapping; this kind of policy is typically managed by
server administrators.

-- 
Mark Smith
iPlanet Directory Architect / Sun-Netscape Alliance
My words are my own, not my employer's.   Got LDAP?