[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL/EXTERNAL (TLS)

Subject: Re: SASL/EXTERNAL (TLS)
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 17 Aug 2000 12:04:44 +0200
Cc: openldap-devel@OpenLDAP.org
Organization: stroeder.com
References: <003601c00691$ac298280$0c01a8c0@vaio.symas.com> <4.3.2.7.0.20000816123345.00b03540@router.boolean.net>

"Kurt D. Zeilenga" wrote:
> 
> The authentication identity can be in any form.

The identity has to be unique?

>  I rather the
> form be as "natural" as possible.  That is, if the authentication
> identity is derived from an X.509 certificate, the identity
> should be "natural" (e.g. X.500) form.

I would not even speak of a X.500 form when using a cert DN since
most CAs issue certs without caring about directory structure at
all. E.g. look at my freemail cert DN issued by Thawte:

/S=Stroeder/G=Michael/CN=Michael Stroeder/Email=michael@stroeder.com

Just use the cert DN as unstructured but unique identifier
regardless of being meant as X.500 name in former days. Note: The
cert DN has only to be unique within the name-space of a CA. Two
different CAs can issue different certs with the same DN.

Ciao, Michael.

Follow-Ups:
- rebind function
  - From: Stephan Siano <Stephan.Siano@suse.de>
- Re: SASL/EXTERNAL (TLS)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: SASL/EXTERNAL (TLS)
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: SASL/EXTERNAL (TLS)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Problems building OpenLDAP 2.0 Beta
Next by Date: Re: Problems building OpenLDAP 2.0 Beta
Index(es):
- Chronological
- Thread