[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both



Title: RE: AuthzIDs or DNs, but not both
Paul Leach responded to Kurt as follows
 
>> The key issue I am raising is whether or not it makes sense
>> to have more
>> than one protocol representation of authorization principals.
>>  I believe
>> only one is necessary and that a second is an unnecessary
>> complication.
> 
>LDAP servers should be free to use principal names supported by the
>platform on which they run.
 
This is the heart of a discussion we've had several times before in this WG and which
I thought we'd resolved.  LDAP servers are of course in some sense by definition
"free" to use principal names supported by the platform on which they run, since IETF
doesn't mandate implementation.  However they're NOT free to assume that their
clients know which platforms they run on, or to assume that their clients are willing or
able to generate and authenticate principal names of the sort supported by the server's
platform.
 
This is the heart of secure interoperability -- does the LDAP protocol specify a principal
namespace, or does it simply assume that the client and the server agree on a principal
namespace and authentication conventions out of band, and only begin to interoperably
use the LDAP protocol after identities have been established and authenticated?
 
Essentially this amounts to the question of whether an LDAP server has a notion of its
users' identities *AS LDAP USERS* or whether it's merely allowing all kinds of platform
(and maybe non-platform) users into its DIT.
 
The position of the working group has consistently been (both on the mailing list and
in the FTF meetings) that interoperable security for LDAP should be specified, rather than
simply exposing the underlying platform security.
 
>Users who are accustomed to a given principal
>name form should not have to learn the DN form.
 
This sounds plausible but carries many assumptions.  Users are accustomed to a variety of
different principal name forms, and to allow them to use these completely transparently
*and* still have an interoperable environment, it would be necessary to have every server:
 
(1) be able to distinguish all principal name forms, and to determine to which name
        form a given principal name conforms -- in the absence of explicit name-type indicators
        in some cases.
(2) be able to map all principal name forms to DNs.  Furthermore, in order to prevent
        "identity mutation" when visiting different servers, it would be desirable to have
        every server map every form of name to a DN in exactly the same way -- hence we'd
        need a separate RFC describing the mapping for all "interesting" name forms
        to enable heterogeneous, interoperable configurations.
(3) to be able to support authentication of all name forms (this would require doing the
        mapping as a prerequisite to looking up authentication data in LDAP on the bind)
 
or else it would be necessary to have every client map the name form provided by the user
into a DN prior to sending it to the LDAP server, but this is what Paul wants to avoid
in the paragraph below.
 
>Client software should not
>have to turn the platform user name into a DN, only to have the server turn
>it back into the platform user name -- they should just take what the user
>typed and use that as the uAuthzId. Client software can't do this in a platform independent way.
 
?? I'm confused... if there's a canonical way to turn each name form into a DN, then
the client can perform the transformation just as easily as the server.
 
>So, yes, I believe it makes sense to have more than one representation. Unless
>that representation is UTF-8 string.
>And I think it makes clients and servers simpler, not more complicated.
 
I don't get this.... can you explain why?

>> The fact that a server can map the uAuthzId to a DN implies
>> that the client can map a uAuthzId to a DN.
> 
>That's a fallacy in all except the most trivial sense (that both sides are Turing complete).
>The client may not, and sometimes should not, have all the information available at the server.
 
This I agree with.  However it's not a good assumption that the client NEEDS all the information to which
the server has access in order to do its job.
 
Normally at a client the user gets a name by logging on to the client system.  Normally this is done using
a particular, known name form.  This means that the client can in many cases correctly assume the
form of the name it's mapping from, and so has no confusion about how to map names (unless we
screw up really badly and underspecify the mappings).  There may be strange cases, but perhaps not many...

--bob
 
Bob Blakley (blakley@dascom.com)
Chief Scientist, Dascom

 
BEGIN:VCARD
VERSION:2.1
N:Blakley;Bob
FN:Bob Blakley
ORG:Dascom
TITLE:Chief Scientist
TEL;WORK;VOICE:+1 (512) 458-4037 x 5012
TEL;WORK;FAX:+1 (512) 458-2377
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Plaza Balcones=0D=0A5515 Balcones Drive;Austin;TX;78731;USA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Plaza Balcones=0D=0A5515 Balcones Drive=0D=0AAustin, TX 78731=0D=0AUSA
URL:
URL:http://www.dascom.com
EMAIL;PREF;INTERNET:blakley@dascom.com
REV:19991115T225938Z
END:VCARD