[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: AuthzIDs or DNs, but not both
At 11:56 15.11.99 -0800, Kurt D. Zeilenga wrote:
The fact that a server can map the uAuthzId to a DN implies
that the client can map a uAuthzId to a DN. Hence, there is
no need for the second protocol representation as the client can do
this mapping.
Not necessarily - the mapping may be done by:
1) data in the directory that is not accessible to the client before the
BIND operation is done
2) data that is not accessible to the client at all
Examples related to things I've heard or seen:
- AuthzID is a Kerberos identity, with the mapping stored in the Kerberos
database
- AuthzID is an NT domainname/username combo (cn=user,cn=domain), with a
mapping to a globally unique DN stored in the server
- AuthzID is an Unix login, with the DN created by appending the DN of
the organization from a server-side config file
In all these cases, the reasoning is that the client should only specify
what he can reasonably be expected to know, and that configuration should
be done on the server side only.
Harald A
--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no