[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AuthzIDs or DNs, but not both

To: JHodges@oblix.com
Subject: Re: AuthzIDs or DNs, but not both
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Mon, 06 Dec 1999 16:50:30 -0800
Cc: IETF LDAP Extensions WG <ietf-ldapext@netscape.com>
In-reply-to: <384C4298.5FD8BDE3@oblix.com>
References: <3.0.5.32.19991114113020.0095a820@localhost>
Resent-date: Mon, 06 Dec 1999 16:57:35 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"WEhIeC.A.niE.2tFT4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Though I disagree that creatorsName is a MAY (see RFC2252, 5.1.2 says
SHOULD), I do agree that this issue can be addressed by server side
mapping of non-DN authorization identities into DN identities.  I
would be curious to hear what others have done in this area.

I fully believe users should be able to specify authentication and
authorization identities which may or may not be entries within
the directory.  This, however, is quite different than saying we
need two on-the-wire representations of such identities.  LDAPDN
could be used to represent identities which are not or do not
have directory entries.  However, without operational experience
with such an approach, I will defer further comment until such
time that I do (which may be never).

I do believe, however, that there are a number of other issues
raised subsequently to my posting you quote that do need to be
addressed before AuthMeth/StartTLS drafts are published as an
RFC.  I will attempt summarize my concerns in a separate posting.

Kurt

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- Re: AuthzIDs or DNs, but not both
  - From: Jeff Hodges <jhodges@oblix.com>

References:
- Re: AuthzIDs or DNs, but not both
  - From: Jeff Hodges <JHodges@oblix.com>

Prev by Date: Re: AuthzIDs or DNs, but not both
Next by Date: AuthMeth issue summary
Index(es):
- Chronological
- Thread