[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: createSaslClient by the Java LDAP API
At 05:45 PM 4/4/01 -0700, Kurt D. Zeilenga wrote:
>The Java LDAP API appears to be responsible for
>calling createSaslClient() method of the Sasl class
>which requires as a parameter:
>
> authorizationID The possibly null protocol-dependent
> identification to be used for authorization, e.g.
> user name or distinguished name. When the SASL
> authentication completes successfully, the entity
> named by authorizationId is granted access. If
> null, access is granted to a protocol-dependent
> default (for example, in LDAP this is the DN in
> the bind request)
A little off-topic for this list, but I note parts of this
definition seem inconsistent with RFC 2222 and RFC 2829. I
offer this alternative wording which I believe is more
consistent with RFC 2222 and RFC 2829.
authorizationID
The possible null identity which the client is
requesting to have the authorization of. If null
or empty, the server (not the API) derives an
authorization identity from the mechanism authentication
identity used. The form of the authorizationID
is protocol dependent and defined in the protocol's
SASL profile. For example, for LDAP (RFC2829) the
authorizationID may be empty (null) or of the form
"u:userid" where userid is some arbitrary UTF-8
string or "dn:distinguishedName" where distinguishedName
is a string representation (RFC 2253) of a LDAP DN.
I would suggest further discussion of the SASL API be directed
to the ietf-sasl@imc.org mailing list or other suitable forum.