[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: KerberosId/UserID/access-id (two)

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, ietf-ldapext-acm@OpenLDAP.org
Subject: Re: KerberosId/UserID/access-id (two)
From: Ellen Stokes <stokes@austin.ibm.com>
Date: Mon, 17 Apr 2000 23:07:42 -0500
Cc: Leif Johansson <leifj@it.su.se>, <JIMSE@novell.com>
In-reply-to: <3.0.5.32.20000329212918.009b7e80@infidel.boolean.net>

Kurt,

I'm a bit confused here about your authzID proposal.

I understand that you want to change access-id to authzID as defined
in the authmeth spec.   authzID is carried in the SASL credential field.
The problem I have with this that one of the mandatory methods of
authentication (per authmeth spec) is simple password over TLS
which does not even use SASL so no authzID can even be carried
in that flow.  So, if the ldapACI specifies authzID, there is no way to
ascertain that information short of providing some type of internal
mapping of authenticationID by the server.  Perhaps the assumption
is that if simple password over TLS is used, then the authzID equates
to the authentication identity passed in the bin?

Ellen

At 09:29 PM 3/29/00 +0900, Kurt D. Zeilenga wrote:

Fixed Typos...

Requirement as discussed:
The LDAP ACI model must be capable of supporting all authorization
identify forms prescribed by the the protocol (and detailed by
the "Authentication Methods for LDAP" (authmeth) draft).  This
draft has been approved for publication as a Proposed Standard.

New Issue:
AuthMeth draft allows for addition of authorization forms and
these need to be supported by ACIs.  It should not be necessary
to update both the AuthMeth spec and the ACI spec to add authorization
forms to LDAP.  Such additions should only require extension as
described by authmeth.

Solution:

Rework the LDAPaci BNF such that the access-id is an AuthMethod
AuthzId.

For example:

ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#dn:cn=jsmith,ou=ABC,o=XYZ,c=US
ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#u:jsmith@REALM

Then, if and when AuthMeth is extended to support some new
form "guid:", the following would be allowed withOUT requiring
a separate update of the ldapACI specification.

ldapACI: 1.2.3.4#subtree#grant;r;attribute:attr1;
                         #access-id#guid:0xbad1D


I would also suggest "access-id" be changed to "authzID".

If you would like to discuss this issue, I should be available
tomorrow afternoon (prior to LDUP session).

        Kurt

Follow-Ups:
- Re: KerberosId/UserID/access-id (two)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Fwd: agenda and conference call info for Tues Apr 18
Next by Date: Re: ACL Model (Section 2)
Index(es):
- Chronological
- Thread