[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication & Login sessions



David Nugent wrote:
> ...
> The primary problem is authentication. All processes are owned by a user,
> as is the usual model in UNIX. Since authentication comes from the
> directory, login sessions can therefore be tied to the specific object
> against which the user was authenticated. The problem is, during that
> session, the user will be accessing the directory (albiet hidden under the
> libc API bonnet), and since we don't want to make the directory world
> readable, the user requires *authenticated* access to the directory until
> the login session terminates. However, I doubt whether reserving a tcp
> connection for the life of each session is desirable, so a connectionless
> protocol, or at least a pre-authenticated tcp network connection is
> needed.

If one TCP/IP connection per UNIX client machine is an acceptable
alternative, you might consider implementing the proxy authentication
feature that is described in this Internet Draft:

   http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-04.txt

The idea would be to maintain one connection per machine but use the
proxy authorization feature to impersonate different users.

-- 
Mark Smith
Directory Product Development / iPlanet E-Commerce Solutions
My words are my own, not my employer's.            Got LDAP?