[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication & Login sessions

To: David Nugent <davidn@austel.net>
Subject: Re: Authentication & Login sessions
From: mcs@netscape.com (Mark C Smith)
Date: Wed, 14 Jun 2000 10:05:17 -0400
Cc: openldap-devel@OpenLDAP.org
Organization: iPlanet E-Commerce Solutions
References: <Pine.BSF.4.21.0006141308430.8258-100000@biscuit.mel.ausisp.net>

David Nugent wrote:
> ...
> The primary problem is authentication. All processes are owned by a user,
> as is the usual model in UNIX. Since authentication comes from the
> directory, login sessions can therefore be tied to the specific object
> against which the user was authenticated. The problem is, during that
> session, the user will be accessing the directory (albiet hidden under the
> libc API bonnet), and since we don't want to make the directory world
> readable, the user requires *authenticated* access to the directory until
> the login session terminates. However, I doubt whether reserving a tcp
> connection for the life of each session is desirable, so a connectionless
> protocol, or at least a pre-authenticated tcp network connection is
> needed.

If one TCP/IP connection per UNIX client machine is an acceptable
alternative, you might consider implementing the proxy authentication
feature that is described in this Internet Draft:

   http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-04.txt

The idea would be to maintain one connection per machine but use the
proxy authorization feature to impersonate different users.

-- 
Mark Smith
Directory Product Development / iPlanet E-Commerce Solutions
My words are my own, not my employer's.            Got LDAP?

References:
- Authentication & Login sessions
  - From: David Nugent <davidn@austel.net>

Prev by Date: RE: Authentication & Login sessions
Next by Date: Re: Authentication & Login sessions
Index(es):
- Chronological
- Thread