[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP Proxied Authorization Control
Rob,
You're control syntax needs a slight change due to the change
to a "authentication identity". RFC2829 states:
The authorization identity is a string in the UTF-8 character set,
corresponding to the following ABNF [7]: ...
Hence, there is no ASN.1 to BER encode (as you had in previous draft,
hence my previous suggestion). I suggest:
The control value, an OCTET STRING, contains a LDAP Authorization
Identity (authzId) as described in RFC2829, Section 9.
Alternative, you could define the value as the BER encoding of an
ASN.1 SEQUENCE which holds one OCTET STRING that contains an authzId.
The control value is the BER encoding of proxiedAuthzValue:
proxiedAuthzValue ::= SEQUENCE {
proxyId LDAPString }
where proxyId contains an LDAP Authorization Identity (authzID) as
described in RFC 2829, Section 9. This sequence may be updated by
Standard Track specifications updating this document. Implementations
SHOULD ignore elements of this sequence whose tags they do not
recognize.
The latter offers a bit of extensibility which may or may not be
desirable.
Kurt