RE: Compromise Authentication Proposal

[Paul Leach <paulle@microsoft.com>]

The LDAP server can do one of several things for usernames that aren't DNs.

1. It can lookup the username in an authentication database that is NOT the
directory itself. This is not the most natural thing for a directory service
to do, but for lots of other services they don't have an obvious database --
mail protocols for example.

2. It can do a search for some attribute of the user's entry whose value is
the username. The "uid" attribute (e-mail address, IIRC) is one such choice,
and would integrate quite well with all of the mail protocols (at least).

3. It can hand control of the whole authentication exhange to the
authentication system on the machine it is running on. Part of the
philosophy of the SASL approach is that one can use implementations of SASL
mechanisms across many application protocols.

> -----Original Message-----
> From: Hallvard B Furuseth [mailto:h.b.furuseth@usit.uio.no]
> Sent: Wednesday, October 07, 1998 11:48 AM
> To: Paul Leach
> Cc: mcs@netscape.com; chris.newman@innosoft.com;
> ietf-ldapext@netscape.com; ietf-sasl@imc.org
> Subject: RE: Compromise Authentication Proposal
> 
> 
> I've missed something: What can the LDAP server *do* with the 
> usernames
> we bind as?  It's simple enough if the username is a DN, of course.
> But if I bind as "hbf", may the server translate that to a DN - e.g.
> with a local subtree search for (&(uid=hbf)(objectclass=person))?
> May it bind as user user "hbf" which does not correspond to a DN, in a
> private user file?
> 
> -- 
> Hallvard
>