RE: AuthzIDs or DNs, but not both

[Harald Tveit Alvestrand <Harald@Alvestrand.no>]

At 11:56 15.11.99 -0800, Kurt D. Zeilenga wrote:

> The fact that a server can map the uAuthzId to a DN implies
> that the client can map a uAuthzId to a DN.  Hence, there is
> no need for the second protocol representation as the client can do
> this mapping.

Not necessarily - the mapping may be done by:

1) data in the directory that is not accessible to the client before the
   BIND operation is done
2) data that is not accessible to the client at all

Examples related to things I've heard or seen:

- AuthzID is a Kerberos identity, with the mapping stored in the Kerberos
  database
- AuthzID is an NT domainname/username combo (cn=user,cn=domain), with a
  mapping to a globally unique DN stored in the server
- AuthzID is an Unix login, with the DN created by appending the DN of
  the organization from a server-side config file

In all these cases, the reasoning is that the client should only specify
what he can reasonably be expected to know, and that configuration should
be done on the server side only.

                      Harald A



--
Harald Tveit Alvestrand, Maxware, Norway
Harald.Alvestrand@maxware.no