[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: AuthzIDs or DNs, but not both

To: "Curtin, William" <curtinw@ftm.disa.mil>
Subject: RE: AuthzIDs or DNs, but not both
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Tue, 16 Nov 1999 12:15:02 -0800
Cc: "'Kurt D. Zeilenga'" <Kurt@OpenLDAP.Org>, 'Bob Blakley' <blakley@dascom.com>, "'Paul Leach (Exchange)'" <paulle@Exchange.Microsoft.com>, 'IETF LDAP Extensions WG' <ietf-ldapext@netscape.com>
In-reply-to: <92CDE837027BD3119C4200204804F0CCCBF15C@rbmail101.chamb.dis a.mil>
Resent-date: Tue, 16 Nov 1999 12:17:08 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"Z-ehKD.A.LND.yubM4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 01:00 PM 11/16/99 -0500, Curtin, William wrote:
>I'm trying to understand this proposal. 
>
>So are you proposing that there be a new object class, say 
>authorizedUser, which MUST contain the uauthzid attribute and 
>which is supported by a structure rule which allows this new 
>object class to reside at the same level as Country, Organization, 
>and Domain?

I purposely focused on the bind DN, not the entry it names.
However, if a specification was drafted, it would likely
have to specify schema of named entries.   First note, I
intend to allow servers to make entries named by these DN
not visible to clients (excepting for bind operations).
That is, an base search of one of these DN may return
noSuchObject or such.   Of course, an implementation
could make the visible.

I am actually thinking that they would subentries of the
root DSE.  This gives them a context which is local, that is,
they are not tied to any specific naming context.

>If so, is this object class outside of the server's naming 
>context?

As subentries of the root DSE they would be outside the
naming context(s) of the server.  

>Does it carry other attributes about a user (e.g. phone, 
>address, email, etc.) or are they found elsewhere in the DIT?

Likely not.

If there is reasonable support for exploring such an approach,
I would be willing to draft an specification and put it before
the WG for consideration.  I would want to enlist a coauthor
with strong knowledge of the LDAP/X.500 information model.

Regards, Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Prev by Date: Re: C API: minor comments
Next by Date: RE: C LDAP API: security considerations
Index(es):
- Chronological
- Thread