[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authentication & Login sessions
David Nugent wrote:
> ...
> The primary problem is authentication. All processes are owned by a user,
> as is the usual model in UNIX. Since authentication comes from the
> directory, login sessions can therefore be tied to the specific object
> against which the user was authenticated. The problem is, during that
> session, the user will be accessing the directory (albiet hidden under the
> libc API bonnet), and since we don't want to make the directory world
> readable, the user requires *authenticated* access to the directory until
> the login session terminates. However, I doubt whether reserving a tcp
> connection for the life of each session is desirable, so a connectionless
> protocol, or at least a pre-authenticated tcp network connection is
> needed.
If one TCP/IP connection per UNIX client machine is an acceptable
alternative, you might consider implementing the proxy authentication
feature that is described in this Internet Draft:
http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-04.txt
The idea would be to maintain one connection per machine but use the
proxy authorization feature to impersonate different users.
--
Mark Smith
Directory Product Development / iPlanet E-Commerce Solutions
My words are my own, not my employer's. Got LDAP?