|
Kurt,
To address your comments on this, in the -05 version I will replace this
text:
"All servers that support the storage of authentication credentials, such
as passwords or certificates, in the directory MUST support the dnAuthzId
choice. The format for distinguishedName is defined in section 3 of
[LDAPDN]."
With this:
"The dnAuthzId choice allows client applications to assert authorization
identities in the form of a distinguished name. The decision to allow or
disallow an authentication identity to have access to the requested
authorization identity is based on implementation defined policy ([SASL] section
4.2). For this reason there is no requirement that the asserted dn be that of an
entry in directory."
Does this sound reasonable to you?
Roger
>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 11/12/2002
10:27:08 PM >>>
At 12:52 PM 2002-11-12, Roger Harrison wrote: >Section 4.4.1.1 of [AuthMeth] states: > >All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN]. > >I see two problems with this statement. The problem I see is that this MUST is not necessary for interoperability. For authentication only, no authorization identity is needed. As discussed on the ietf-sasl list, the authorization identity SHOULD only be provided if the client wishes to assume the identity different from that implied by the authentication credentials. That is, specifying an authorization identity when not doing proxy authorization causes interoperability problems and should be avoid. For proxy authorization, interoperability requires that the user know the value and form authzId expected by the server. Servers need only to support the value and forms they expect. If anything, we should be stating that CLIENTs which support Proxy Authorization SHOULD support both forms so that users can specify either. It's my personal opinion that paragraph should be deleted. Kurt |