[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [AuthMeth] clarification on SASL DN AuthZ ID

To: "Roger Harrison" <RHARRISON@novell.com>
Subject: Re: [AuthMeth] clarification on SASL DN AuthZ ID
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 01 Mar 2003 14:28:59 -0800
Cc: <ietf-ldapbis@OpenLDAP.org>
In-reply-to: <se60ce35.054@prv-mail20.provo.novell.com>

At 06:42 PM 2/28/2003, Roger Harrison wrote:
>Kurt,
> 
>To address your comments on this, in the -05 version I will replace this text:
> 
>"All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN]."
> 
>With this:
> 
>"The dnAuthzId choice allows client applications to assert authorization identities in the form of a distinguished name. The decision to allow or disallow an authentication identity to have access to the requested authorization identity is based on implementation defined policy ([SASL] section 4.2). For this reason there is no requirement that the asserted dn be that of an entry in directory."
> 
>Does this sound reasonable to you?

Yes, except s/based on implementation defined/a matter of local/.

Kurt

> 
>Roger<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
> 
>>>> "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> 11/12/2002 10:27:08 PM >>>
>At 12:52 PM 2002-11-12, Roger Harrison wrote:
>>Section 4.4.1.1 of [AuthMeth] states:
>>
>>All servers that support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. The format for distinguishedName is defined in section 3 of [LDAPDN].
>>
>>I see two problems with this statement.
>
>The problem I see is that this MUST is not necessary for
>interoperability.
>
>For authentication only, no authorization identity is needed. As
>discussed on the ietf-sasl list, the authorization identity SHOULD
>only be provided if the client wishes to assume the identity
>different from that implied by the authentication credentials.
>That is, specifying an authorization identity when not doing
>proxy authorization causes interoperability problems and should
>be avoid.
>
>For proxy authorization, interoperability requires that the
>user know the value and form authzId expected by the server.
>Servers need only to support the value and forms they expect.
>If anything, we should be stating that CLIENTs which support
>Proxy Authorization SHOULD support both forms so that users
>can specify either.
>
>It's my personal opinion that paragraph should be deleted.
>
>Kurt

References:
- Re: [AuthMeth] clarification on SASL DN AuthZ ID
  - From: "Roger Harrison" <RHARRISON@novell.com>

Prev by Date: Re: [AuthMeth] clarification on SASL DN AuthZ ID
Next by Date: RE: How are approxMatch matching rules declared?
Index(es):
- Chronological
- Thread