[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: saslAuthz{To|From}

At 01:52 PM 12/13/2003, Pierangelo Masarati wrote:
>this assumes the user cannot contain ':' and the mech
>cannot contain '/'; if this is not true, then we need
>to escape these chars in the respective parts.

Userid can contain ':' and realms can contain '/'.

>> At present, I think it would be better to simply ignore realms.
>> Except for mechanisms like GSSAPI (which they are part of the
>> principal name), realms should be viewed as just causing a
>> database switch during authentication.  For DIGEST-MD5, we
>> can simply declare "userid@example@REALM1" and "userid@REALM2" to
>> referring to the same identity, but different secret stores.
>Agree.  But as you can see in ITS#2871, someone is using them
>to differentiate user DNs...

Yes, that's one use.  But the only way to make this work is
to break it OR to place restrictions on userids/realms.
I think it is far more common to use @ in userids than it
is to use realms to distinguish userids.... especially
when you consider that most password mechanisms don't have
any realm concepts, but do allow @ in userids.  E.g.,
PLAIN and CRAM-MD5.  We should fix it for them, and then
force DIGEST-MD5 to follow.

>>>> and just imply a mech of "authz" when authzid comes from policy
>>>> information.  Otherwise, the mech associated with the authentication
>>>> is implied.
>>>If no mech is associated to the operation, then use
>>>the "AUTHZ" mech.
>> No, if no mech is associated with the operation, the asserted
>> u:foo has same mech as the authentication exchange.
>What I meant is if there is no mech associated to the
>authentication exchange.

(I was treating SIMPLE as a mechanism)

>Currently (after Howard's latest commit) there is always
>a mech, the bottom line is "SIMPLE", so this is now a moot
>> But the u:foo in the policy information (the directory) is
>> treated as having mech "AUTHZ".
>I'm not sure I understand this.

In mapping of u:id found in to/from policy information held
in the directory, use the pseudo mechanism "AUTHZ".  The
mapping regexes can then control whether:

map to the same DN or to different DNs as desired.