[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)

To: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.org>
Subject: RE: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)
From: "Howard Chu" <hyc@symas.com>
Date: Sun, 30 Nov 2003 01:08:57 -0800
Cc: "'Tom Riddle'" <ftr@highstreetnetworks.com>, <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <6.0.0.22.0.20031129111817.03fb4750@127.0.0.1>

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> One of the problems using the proxyAuthz control in chaining
> (between servers) is that it interferes with clients own use
> of the control between the client and the directory.
>
> In hallway discussions at IETF#58, we concluded that LDAP
> really needs to have a "chaining" operation which would wrap
> the client request when it was chained to another server (much
> like in X.500).  This would provide a clear separation between
> client's desires and chaining server's desires.

Sounds like time to dust off a copy of X.518 and read thru the Distributed
Authentication model... It seems a "ChainingArguments" control to accompany
any other operation would be more appropriate than a new operation.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: proxyAuth for bind (Was: Can I bind to server with DN not on server ?)
Next by Date: RE: commit: ldap/servers/slapd sasl.c
Index(es):
- Chronological
- Thread