[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proposal for SASL authorization

To: Mark Adamson <adamson@andrew.cmu.edu>
Subject: Re: Proposal for SASL authorization
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Wed, 16 Aug 2000 17:40:39 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <Pine.SOL.3.96L.1000815104330.13336c-100000@nil.andrew.cmu. edu>

Mark,

Looks good.  I have one minor suggestion.

Instead of:
  MECH=KERBEROS_V4+UID=ADAMSON.LDAP+REALM=ANDREW.CMU.EDU

I suggest the general form (should be normalized*):
  uid=<ID> [+ ou=<REALM>], cn=<MECH>, <ROOT>

where <ID> is the associated userzID, <REALM> is the realm
(may not be present for some mechanisms), <MECH> is the
mechanism used, and <ROOT> is provided by a configuration
directive (default: CN=AUTHZ).

Having <ROOT> ensures that these DN are not within
an database (which might have odd side effects).  And
the remainder is due to fact that user/realms are mech
specific.  Realm is optional as some mechs don't support
realms.  Also, I changed attributes types to avoid having
to define new ones (because these DNs might get exposed).

So, your DN would be:
  UID=ADAMSON.LDAP+OU=ANDREW.CMU.EDU,CN=KERBEROS_V4,CN=AUTHZ

mine might be:
  UID=KURT@OPENLDAP.ORG,CN=GSSAPI,CN=AUTHZ
or
  UID=KURT+OU=OPENLDAP.ORG,CN=DIGEST-MD5,CN=AUTHZ

Prev by Date: RE: SASL/EXTERNAL (TLS)
Next by Date: Re: Oracle backend
Index(es):
- Chronological
- Thread