RE: saslAuthz{To|From}

["Pierangelo Masarati" <ando@sys-net.it>]

> At 11:20 AM 12/13/2003, Howard Chu wrote:
>>I think adding a mech specifier is a really bad idea.
>
> Quite likely.

Hold on, what we're talking about is NOT specifying the mech
in the "u:" of, say, a proxyauthz control.  I agree this has
to be related to the mech that was actully used to get to that
point.

What I'm talking about is how to put the mech into the
sasluthz(To|From) attribute of an entry.  This can be
useful when deciding to authorize identities that are
specified thru the "u:" syntax based on the mech as well.

What I came out, and currently implemented, is:

u[.<realm>][;<mech>]:<user>

if this is acceptable, I'll commit it in a moment.

>
> Maybe we should just have
>         u:userid[@realm]

then we could do

u[.<mech>]:<user>["["<realm>"]"]

I guess you mean "literal" square brackets around the realm.
I still favour my solution, but I've nothing against this latter.

>
> and just imply a mech of "authz" when authzid comes from policy
> information.  Otherwise, the mech associated with the authentication is
> implied.

If no mech is associated to the operation, then use
the "AUTHZ" mech.

I'll commit this in a moment, so you'll have a chance
to see if it is reasonable.

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it