[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAPS (LDAP over SSL) client authentication

To: "'John Kristian'" <kristian@netscape.com>
Subject: RE: LDAPS (LDAP over SSL) client authentication
From: "Luke Howard" <lukeh@xedoc.com.au>
Date: Fri, 30 Oct 1998 09:19:21 +1100
Cc: <OpenLDAP-devel@openldap.org>, <linux-ldap@ragenet.dyn.ml.org>
Importance: Normal
In-reply-to: <3638CC0A.C1FC3C28@netscape.com>

> There are some relevant Internet Drafts:
> <draft-ietf-ldapext-ldapv3-tls-02.txt> section 6
> <draft-ietf-ldapext-authmeth-02.txt>
> I tried to conform to these (actually previous versions of them),
> when implementing LDAPS for Netscape.

A problem I noticed is that SASL plugins don't get called if an empty
authorization identity is specified in the BindRequest. The plugin should
still be called, and attempt to derive the authorization identity from the
authentication identity (per the SASL spec). For example, with Kerberos, one
could search the namingcontexts for entries with the krbName attribute
matching the authentication identity, and then use the DN of that entry as
the authorization identity.



-- Luke

Follow-Ups:
- Re: SASL Bind without authorization ID
  - From: John Kristian <kristian@netscape.com>

References:
- Re: LDAPS (LDAP over SSL) client authentication
  - From: John Kristian <kristian@netscape.com>

Prev by Date: Re: LDAPS (LDAP over SSL) client authentication
Next by Date: Just for you.....(SHA'd root password)
Index(es):
- Chronological
- Thread