[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPDN and AuthMeth/DIGEST-MD5

To: ietf-ldapext@netscape.com
Subject: RE: LDAPDN and AuthMeth/DIGEST-MD5
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.Org>
Date: Sun, 21 Nov 1999 05:26:47 -0800
Resent-date: Sun, 21 Nov 1999 05:29:12 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"O6LQp.A.dND.hO_N4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 07:19 PM 11/19/99 -0800, you wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:kurt@boolean.net]
>> 
>> > let me see if I can summarize each person's position
>> 
>> My position is that users should be able to authenticate securely
>> regardless of whether they provide a DN or non-DN authorization
>> identity to the client.
>
>First, authorization identities have nothing to do with authentication and
>hence nothing to do with whether a user can authenticate securely.

I will reword in an attempt to clarify my position:

My position is that users should be able to authenticate securely
regardless of whether they provide a DN or non-DN identity to
the client.

>> 
>> I believe that the server, upon successful authentication, SHOULD
>> determine DN representing the user which is usable as the
>> creatorsname, modifiersname, ACL subjectDN, etc..  This DN may
>> or may not be the same DN provided by the client.
>
>I think this conflicts with 2251, which says that those attributes are
>optional.

I do not believe my suggestion mandates that an implementation
provide a mapping NOR use it.  However, I do believe that since
RFC2251 says implementations SHOULD provide creatorsname and
modifiersname that AuthMeth should, when introducing non LDAP DN
authorization identities, state that implementations are allowed
to provide and use such a mapping to fulfill RFC2251 SHOULDs.

Prev by Date: RE: LDAPDN and AuthMeth/DIGEST-MD5
Next by Date: RE: Policy in IETF APIs (was: Standards and APIs)
Index(es):
- Chronological
- Thread