[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: comments on draft-ietf-ldapext-authmeth-01.txt

To: Mark Wahl <M.Wahl@critical-angle.com>
Subject: Re: comments on draft-ietf-ldapext-authmeth-01.txt
From: howes@netscape.com (Tim Howes)
Date: Wed, 25 Mar 1998 11:04:26 -0800
Cc: Jeff.Hodges@stanford.edu, Bob.Morgan@stanford.edu, ietf-ldapext@netscape.com
Delivered-to: ldapext-archive@critical-angle.com
Organization: Netscape Communications
References: <5305.890811070@folder.critical-angle.com>
Resent-date: Wed, 25 Mar 1998 11:02:54 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"jwaou3.0.f-3.TJL6r"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Seems to me like we can have the best of both worlds.
Keep the DN syntax, addressing Mark's and Bob B's
concerns about parsing, etc. Explicitly state in the document
that other schemes can easily be encapsulated in the DN
syntax. In fact, we could define a generic mechanism for
doing so. This should cause minimal inconvenience for
programmers.                                   -- Tim

Mark Wahl wrote:

> Thank you for your careful review of this document.  I have no problem
> making changes to the authentication methods draft based on many of your
> comments.
>
> However, authorization identities presented to LDAP servers by clients through
> SASL mechanisms are and should remain the string form of LDAP Distinguished
> Names.  There are already specifications and/or conventions of mechanisms for
> representing other forms of identifiers, such as URLs, domain names and RFC 822
> mail addresses, as attributes, and I believe it would be possible to specify
> most any other type of authorization id as a representation in an attribute
> type and value and thus be usable in a DN.  This allows an LDAP server to have
> a consistent mechanism to handle the representation of authorization identities,
> support multiple forms of authorization simultaneously for different clients,
> and allow for authorization of clients whose entry is held by that server.
>
> Allowing arbitrary strings in place of DNs would lead to a significant
> interoperability problem: how does a server recognize a string as belonging to
> a particular method of authorization, how could it route the authorization
> process to the appropriate component for verification, and how could a set of
> cooperating servers interwork without a common or replicatible mechanism for
> performing access control checks?  While DNs are not a universal panacea, for
> these reasons I believe their strong typing and hierarchical aspects are
> beneficial for representing authorization information.
>
> Mark Wahl, Directory Product Architect
> Innosoft International Inc. / Critical Angle Inc.

References:
- Re: comments on draft-ietf-ldapext-authmeth-01.txt
  - From: Mark Wahl <M.Wahl@critical-angle.com>

Prev by Date: Re: comments on draft-ietf-ldapext-authmeth-01.txt
Next by Date: Re: comments on draft-ietf-ldapext-authmeth-01.txt
Index(es):
- Chronological
- Thread