[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: [ldapext] Chained Operation (control, extended op, or op?)
- To: "Mark Ennis" <mark.ennis@adacel.com>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: RE: [ldapext] Chained Operation (control, extended op, or op?)
- From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
- Date: Fri, 25 Jun 2004 17:54:39 +1000
- Cc: ldapext@ietf.org, Jim Sermersheim <jimse@novell.com>
- Content-class: urn:content-classes:message
- Thread-index: AcRahRBdr/tp4zOlS+a4YU6aB3T+uQAA/ueQ
- Thread-topic: [ldapext] Chained Operation (control, extended op, or op?)
It seems a funny model. The X.500 approach would be to bind to the other DSA at the appropriate authentication level and pass the requester and the auth level in the request. In fact, I don't even understand what is meant by chaining SASL bind exchanges as some of these would be point to point and no third party would/should be able to participate.
-----Original Message-----
From: ldapext-bounces@ietf.org [mailto:ldapext-bounces@ietf.org]On
Behalf Of Mark Ennis
Sent: Friday, 25 June 2004 16:47
To: Kurt D. Zeilenga
Cc: ldapext@ietf.org; Jim Sermersheim
Subject: Re: [ldapext] Chained Operation (control, extended op, or op?)
Kurt D. Zeilenga wrote:
> BTW, I'd like to add support for chaining SASL bind exchanges.
> This will require some fields beyond those offered by the
> X.518 ChainingArguments/ChainingResults structures.
I agree that a mechanism for chaining SASL bind exchanges would be
useful, however, current chaining mechanisms (e.g. X.518 or LDAP
referrals) depend on name resolution of a base object. The bind
operation, particularly when using a SASL mechanism, does not have a
base object for the name resolution process. This would mean special
procedures for "chaining" this operation.
Does this also require formalising some type of trust model between DSAs
if we are going to delegate authentication operations to another server?
Is it possible to translate this SASL bind exchange into a LDAP
operation the initiating DSA invokes, e.g. a search for the SASL
"username" with a control used to transmit the SASL credentials and
receive the SASL auth-response? Such an operation may then be chained by
the responding DSA(s) and authorization decisions will be done using the
initiating DSA as the authorization identity?
- Mark.
>
> Kurt
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext