Re: createSaslClient by the Java LDAP API

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:19 AM 4/6/01 -0700, Rob Weltman wrote:
>"Kurt D. Zeilenga" wrote:
>> 
>> Second, in the present of a client asserted authorization
>> identity, the server may (in addition to the above) rely on
>> this entry to support evaluation of the proxy authorization
>> policy.
>
>  What if the entry (pointed to by the DN supplied on bind) implies wide-ranging access rights that should not be granted based on the authzid or the authentication ID? 

What I meant to imply is that the server might rely on
information held in the entry located by the bind DN
in the authentication/authorization process.  For example,
this entry might contain a list of authzIds which the
authentication identity is allowed to assume the
authorization identity of.

>When you say "may", do you mean "MAY" as in RFC 2119?

No, I meant "may" as in "might", that is, to express a
possibility.  Whether or not the specification allows this
possibility is another matter.

>That seems to me to lend itself to an indeterminate and insecure server implementation.

I do believe there are some security considerations which do
need to be noted when the specification is revised.  Feel free
to raise any you might have to LDAPbis anytime.

>Shouldn't there be mandatory behavior in evaluating the authorization policy?

That might be an area in which the IETF might want to consider
doing some work in.   Right now, RFC 2222, 2251, 2829, and 2830
leave authorization policy implementation up to servers.

Kurt