Re: [ldapext] Chained Operation (control, extended op, or op?)

[Mark Ennis <mark.ennis@adacel.com>]

Kurt D. Zeilenga wrote:
> BTW, I'd like to add support for chaining SASL bind exchanges.
> This will require some fields beyond those offered by the
> X.518 ChainingArguments/ChainingResults structures.

I agree that a mechanism for chaining SASL bind exchanges would be 
useful, however, current chaining mechanisms (e.g. X.518 or LDAP 
referrals) depend on name resolution of a base object. The bind 
operation, particularly when using a SASL mechanism, does not have a 
base object for the name resolution process. This would mean special 
procedures for "chaining" this operation.

Does this also require formalising some type of trust model between DSAs 
if we are going to delegate authentication operations to another server?

Is it possible to translate this SASL bind exchange into a LDAP 
operation the initiating DSA invokes, e.g. a search for the SASL 
"username" with a control used to transmit the SASL credentials and 
receive the SASL auth-response? Such an operation may then be chained by 
the responding DSA(s) and authorization decisions will be done using the 
initiating DSA as the authorization identity?

- Mark.

> Kurt 
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext