[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPS (LDAP over SSL) client authentication

> There are some relevant Internet Drafts:
> <draft-ietf-ldapext-ldapv3-tls-02.txt> section 6
> <draft-ietf-ldapext-authmeth-02.txt>
> I tried to conform to these (actually previous versions of them),
> when implementing LDAPS for Netscape.

A problem I noticed is that SASL plugins don't get called if an empty
authorization identity is specified in the BindRequest. The plugin should
still be called, and attempt to derive the authorization identity from the
authentication identity (per the SASL spec). For example, with Kerberos, one
could search the namingcontexts for entries with the krbName attribute
matching the authentication identity, and then use the DN of that entry as
the authorization identity.

-- Luke