[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: createSaslClient by the Java LDAP API

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: createSaslClient by the Java LDAP API
From: Rob Weltman <robw@worldspot.com>
Date: Thu, 05 Apr 2001 21:56:10 -0700
Cc: Rob Weltman <robw@coscend.com>, ietf-ldapext@netscape.com
References: <5.0.2.1.0.20010404172226.00b16ab0@127.0.0.1> <5.0.2.1.0.20010404203024.00a8fb30@127.0.0.1> <5.0.2.1.0.20010405081413.01f757f0@127.0.0.1>

"Kurt D. Zeilenga" wrote:
> 
> At 08:06 AM 4/5/01 -0700, Rob Weltman wrote:
> >"Kurt D. Zeilenga" wrote:
> >>
> >> At 08:11 PM 4/4/01 -0700, Rob Weltman wrote:
> >> >"Kurt D. Zeilenga" wrote:
> >> >>
> >> >> The Java LDAP API appears to be responsible for
> >> >> calling createSaslClient() method of the Sasl class
> >> >> which requires as a parameter:
> >> >>
> >> >>       authorizationID The possibly null protocol-dependent
> >> >>                      identification to be used for authorization, e.g.
> >> >>                      user name or distinguished name. When the SASL
> >> >>                      authentication completes successfully, the entity
> >> >>                      named by authorizationId is granted access. If
> >> >>                      null, access is granted to a protocol-dependent
> >> >>                      default (for example, in LDAP this is the DN in
> >> >>                      the bind request)
> >> >>
> >> I would suggest the addition of a separate argument to the
> >> SASL bind() methods:
> >>         authzId         If not null nor empty, an LDAP authzId (RFC2829).
> >>                         This parameter SHOULD be passed to the SASL layer
> >>                         unmodified.
> >
> >  That would cause ambiguity if both a DN and an authzId were supplied.
> 
> The dn parameter is the bind name, the authzId parameter is the
> SASL authorization identity.   That's a one-to-one API parameter
> to protocol element relationship, I see no ambiguity.

  OK, but if authzId IS null or empty, then the DN should be used as the SASL authorization identity? Or should the server derive the authorization identity from the authentication identity?

  For my own edification, not having experience with a directory that handles authzIds other than DNs:

  What are the respective influences of the authzId and the bind DN (which is not the authentication DN) on the authority of requests issued after successful authentication? Is it possible that one of the two could imply rights which would not be available to the other? Or does the bind DN no longer affect authorization if there is a separate authzId?

Rob

Follow-Ups:
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: createSaslClient by the Java LDAP API
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Be Healthier: Clean Your Indoor Air!
Next by Date: RE: IP Address in the ACM (Was: Comments on Access ControlModel - BNF)
Index(es):
- Chronological
- Thread