Re: createSaslClient by the Java LDAP API

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 08:11 PM 4/4/01 -0700, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> 
>> The Java LDAP API appears to be responsible for
>> calling createSaslClient() method of the Sasl class
>> which requires as a parameter:
>> 
>>       authorizationID The possibly null protocol-dependent
>>                      identification to be used for authorization, e.g.
>>                      user name or distinguished name. When the SASL
>>                      authentication completes successfully, the entity
>>                      named by authorizationId is granted access. If
>>                      null, access is granted to a protocol-dependent
>>                      default (for example, in LDAP this is the DN in
>>                      the bind request)
>> 
>> How does an application using the Java LDAP API
>> specify the authorizationID it desires?
>
>  As the DN parameter of the bind() operation.
>
>  The Java LDAP API draft predates RFC 2829 by quite a bit. Perhaps it should change the definition of the parameter to allow a username as alternative to DN.

I would suggest the addition of a separate argument to the
SASL bind() methods:
        authzId         If not null nor empty, an LDAP authzId (RFC2829).
                        This parameter SHOULD be passed to the SASL layer
                        unmodified.