[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAPDN and AuthMeth/DIGEST-MD5
> let me see if I can summarize each person's position
My position is that users should be able to authenticate securely
regardless of whether they provide a DN or non-DN authorization
identity to the client.
I believe non-DN authorization identities should be encapulated
within an LDAPDN so as to avoid introduction of a second on-the-wire
representation of authorization identities.
I believe that the server, upon successful authentication, SHOULD
determine DN representing the user which is usable as the
creatorsname, modifiersname, ACL subjectDN, etc.. This DN may
or may not be the same DN provided by the client.
Lastly, the DIGEST-MD5 mechanism described by AuthMeth does
not work for DN-based authorization identities. A canonical
utf8 representation of DNs is necessary.
----
Kurt D. Zeilenga <kurt@boolean.net>
Net Boolean Incorporated <http://www.boolean.net/>