[AuthMeth] clarification on SASL DN AuthZ ID

["Roger Harrison" <RHARRISON@novell.com>]

Section 4.4.1.1 of [AuthMeth] states:

All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN].

I see two problems with this statement.

Problem 1: This requirement would apply to directories that store passwords or certificates for uses other than authentication of LDAP clients or establishing TLS sessions with LDAP clients. I believe the intent of this requirement was to apply to all servers that support the storage of authentication credentials used in authenticating LDAP clients and not to servers that store them for other unrelated purposes.

Problem 2: This statement does not specify whether the DN specified must exist in the directory when this form of SASL credentials is used. In my opinion it makes sense to require that the DN exist in the directory when this form is used. The unspecified authorization identity can be used for cases when the DN does not exist in the directory.

I propose the following wording to clarify these two issues:

All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory for use in authenticating LDAP clients MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN]. The distinguishedName value specified in the dnAuthzId MUST exist in the directory.

I welcome your comments and feedback on this proposal.

Sincerely,

Roger Harrison

Roger G. Harrison
Manager, eDirectory Core and Utilities
Novell, Inc., the Leader Provider of Net Business Solutions
www.novell.com