[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, "Curtin, William" <curtinw@ftm.disa.mil>
Subject: RE: AuthzIDs or DNs, but not both
From: "Paul Leach (Exchange)" <paulle@Exchange.Microsoft.com>
Date: Mon, 15 Nov 1999 14:38:49 -0800
Cc: "Curtin, William" <curtinw@ftm.disa.mil>, ietf-ldapext@netscape.com
Resent-date: Mon, 15 Nov 1999 14:39:29 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"W6qteB.A.LS.VuIM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Title: RE: AuthzIDs or DNs, but not both

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.Org]
> Sent: Monday, November 15, 1999 12:01 PM
> To: Curtin, William
> Cc: Curtin, William; ietf-ldapext@netscape.com
> Subject: RE: AuthzIDs or DNs, but not both
>
>
> At 02:54 PM 11/15/99 -0500, Curtin, William wrote:
> >> Basically, I propose that when a user enters "kdz" as an
> authorization
> >> string that the client uses the DN "authzid=kdz"
> >
> >[do you mean RDN authzid=kdz?
>
> No. I mean the DN "authzid=kdz". That is, the DN as only one
> component.

This isn't a legal DN. (Not that I care very much, but some people care really a lot, and we work by rough concensus around here...)

Even if it were, it doesn't provide much if any added value over saying that the authzid is a UTF-8 string.

If this is going to prove such a bother, I would just prefer that the whole authzid thing got yanked. I think its a bad idea to let anyone (even an admin) just declare that they want to be someone else. A bad idea in that I think its ripe for security abuse.

Paul

Prev by Date: RE: AuthzIDs or DNs, but not both
Next by Date: RE: C API: minor comments
Index(es):
- Chronological
- Thread