[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both

To: "Curtin, William" <curtinw@ftm.disa.mil>
Subject: RE: AuthzIDs or DNs, but not both
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Mon, 15 Nov 1999 11:00:57 -0800
Cc: ietf-ldapext@netscape.com
In-reply-to: <92CDE837027BD3119C4200204804F0CCCBF154@rbmail101.chamb.dis a.mil>
Resent-date: Mon, 15 Nov 1999 11:02:37 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"wOT95.A.CeE.BjFM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 01:21 PM 11/15/99 -0500, you wrote:
>So then should the draft contain an additional paragraph to assure this
>mapping?

I suggest it have a separate draft to define a one-to-one mapping
between arbitrary authentication identities and their DN representation.

Basically, I propose that when a user enters "kdz" as an authorization
string that the client uses the DN "authzid=kdz" to bind as user
"kdz".   This can be used with all forms of bind, but more importantly,
it can be used where ever a DN is allowed.  It provides the desired
capability of allowing users to provide arbitrary string as an
authorization identity without introducing another on the wire
representation of identities.

I, then, suggest we amend all specifications require use of authzid
to instead use DNs and make note that these DNs may represent
arbitrary authentication identities per the one-to-one mapping
document.

Kurt

Prev by Date: RE: AuthzIDs or DNs, but not both
Next by Date: RE: AuthzIDs or DNs, but not both
Index(es):
- Chronological
- Thread