Re: createSaslClient by the Java LDAP API

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 05:45 PM 4/4/01 -0700, Kurt D. Zeilenga wrote:
>The Java LDAP API appears to be responsible for
>calling createSaslClient() method of the Sasl class
>which requires as a parameter:
>
>      authorizationID The possibly null protocol-dependent 
>                     identification to be used for authorization, e.g. 
>                     user name or distinguished name. When the SASL 
>                     authentication completes successfully, the entity 
>                     named by authorizationId is granted access. If 
>                     null, access is granted to a protocol-dependent 
>                     default (for example, in LDAP this is the DN in 
>                     the bind request)

A little off-topic for this list, but I note parts of this
definition seem inconsistent with RFC 2222 and RFC 2829.  I
offer this alternative wording which I believe is more
consistent with RFC 2222 and RFC 2829.
   authorizationID
        The possible null identity which the client is
        requesting to have the authorization of.  If null
        or empty, the server (not the API) derives an
        authorization identity from the mechanism authentication
        identity used.  The form of the authorizationID
        is protocol dependent and defined in the protocol's
        SASL profile.  For example, for LDAP (RFC2829) the
        authorizationID may be empty (null) or of the form
        "u:userid" where userid is some arbitrary UTF-8
        string or "dn:distinguishedName" where distinguishedName
        is a string representation (RFC 2253) of a LDAP DN.

I would suggest further discussion of the SASL API be directed
to the ietf-sasl@imc.org mailing list or other suitable forum.