[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: bind and authorization/authentication IDs

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth: bind and authorization/authentication IDs
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Fri, 27 Feb 2004 08:55:48 +0100

The description of the Bind operation does not say which ID
(authorization or authentication) is transmitted.  It can be deduced
from the definitions in Appendix C, but I think that's a bit weak.  So I
suggest something like this is added:

In section 4 (Bind Operation):

   The Bind operation sets the association's authentication and
   authorization identities.

   The Bind request typically specifies the desired authentication
   identity.

   If the authorization identity is not specified, the server derives it
   from the authentication identity in an implementation-specific
   manner.

...Then move (and edit a bit) this from Section 9.2 (Explicit
Assertion), since it is applies to more than just EXTERNAL bind:

   If the bind mechanism allows the authorization identity to be
   supplied, and the client does supply it, the server MUST verify that
   the authentication identity is permitted to be mapped to the asserted
   authorization identity.  The server MUST reject the Bind operation
   with an invalidCredentials resultCode in the Bind response if the
   client is not so authorized.


Also, in section 9 (SASL EXTERNAL Mechanism), specify that the
authentication ID which is (derived from?) the security credentials (in
an implementation-specific manner?).

Section 9 says LDAP 'makes use of' the security credentials.  I'm not
sure if that means the authentication ID must be what is contained in
the security credentials, or if the credentials can be transformed in
some way - e.g. via a private lookup table.

-- 
Hallvard

Prev by Date: Attributes with no equality matching rule
Next by Date: authmeth review notes [long]
Index(es):
- Chronological
- Thread