[Date Prev][Date Next] [Chronological] [Thread] [Top]

authmeth: association -= authentication ID

To: ietf-ldapbis@OpenLDAP.org
Subject: authmeth: association -= authentication ID
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Wed, 29 Sep 2004 18:00:28 +0200

As far as I can tell, the authentication ID is only needed as a
parameter to the Bind operation, and can be discarded after the Bind
(as far as the LDAP protocol is concerned).  So the association need
only include the "authorization state", not the "authentication state".

I can think of two uses for the authentication ID after Bind:

- Logging: Does not need support from an LDAP standard.

- Chaining later requests to a trusted server (e.g. if the current
  server could handle the Bind, but not some other request):  Needs
  more info anyway; i.e. the rest of the credentials from the Bind.
  So keeping the authentication ID with the association is no help.

(I asked about this at the SASL group first, and got referred back here.
It is not a SASL matter how some protocol uses the authentication and
authorization IDs after authenticating via SASL.)

-- 
Hallvard

Prev by Date: Re: authmeth-12 review notes
Next by Date: Re: Lifetime of associations
Index(es):
- Chronological
- Thread