[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: saslAuthz{To|From}

> At 11:20 AM 12/13/2003, Howard Chu wrote:
>>I think adding a mech specifier is a really bad idea.
> Quite likely.

Hold on, what we're talking about is NOT specifying the mech
in the "u:" of, say, a proxyauthz control.  I agree this has
to be related to the mech that was actully used to get to that

What I'm talking about is how to put the mech into the
sasluthz(To|From) attribute of an entry.  This can be
useful when deciding to authorize identities that are
specified thru the "u:" syntax based on the mech as well.

What I came out, and currently implemented, is:


if this is acceptable, I'll commit it in a moment.

> Maybe we should just have
>         u:userid[@realm]

then we could do


I guess you mean "literal" square brackets around the realm.
I still favour my solution, but I've nothing against this latter.

> and just imply a mech of "authz" when authzid comes from policy
> information.  Otherwise, the mech associated with the authentication is
> implied.

If no mech is associated to the operation, then use
the "AUTHZ" mech.

I'll commit this in a moment, so you'll have a chance
to see if it is reasonable.


Pierangelo Masarati