[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both



Title: RE: AuthzIDs or DNs, but not both

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
> Sent: Monday, November 15, 1999 11:56 AM

>
> The key issue I am raising is whether or not it makes sense
> to have more
> than one protocol representation of authorization principals.
>  I believe
> only one is necessary and that a second is an unnecessary
> complication.

LDAP servers should be free to use principal names supported by the platform on which they run. Users who are accustomed to a given principal name form should not have to learn the DN form. Client software should not have to turn the platform user name into a DN, only to have the server turn it back into the platform user name -- they should just take what the user typed and use that as the uAuthzId. Client software can't do this in a platform independent way.

So, yes, I believe it makes sense to have more than one representation. Unless that representation is UTF-8 string.
And I think it makes clients and servers simpler, not more complicated.

>
> The fact that a server can map the uAuthzId to a DN implies
> that the client can map a uAuthzId to a DN.

That's a fallacy in all except the most trivial sense (that both sides are Turing complete). The client may not, and sometimes should not, have all the information available at the server.

Paul