[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP Proxied Authorization Control

To: robw@worldspot.com
Subject: LDAP Proxied Authorization Control
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 07 Nov 2000 08:08:16 -0800
Cc: ietf-ldapext@netscape.com

Rob,

You're control syntax needs a slight change due to the change
to a "authentication identity".  RFC2829 states:
   The authorization identity is a string in the UTF-8 character set,
   corresponding to the following ABNF [7]: ...

Hence, there is no ASN.1 to BER encode (as you had in previous draft,
hence my previous suggestion).   I suggest:
   The control value, an OCTET STRING, contains a LDAP Authorization
   Identity (authzId) as described in RFC2829, Section 9.

Alternative, you could define the value as the BER encoding of an
ASN.1 SEQUENCE which holds one OCTET STRING that contains an authzId.
   The control value is the BER encoding of proxiedAuthzValue:
		proxiedAuthzValue ::= SEQUENCE {
			proxyId	LDAPString }

   where proxyId contains an LDAP Authorization Identity (authzID) as
   described in RFC 2829, Section 9.  This sequence may be updated by
   Standard Track specifications updating this document.  Implementations
   SHOULD ignore elements of this sequence whose tags they do not
   recognize.

The latter offers a bit of extensibility which may or may not be
desirable.







Kurt

Prev by Date: I-D ACTION:draft-ietf-ldapext-ldap-java-api-12.txt
Next by Date: Java LDAP Application Program Interface
Index(es):
- Chronological
- Thread