directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff MAURY" <>
Subject Re: [SASL][external authent] How do we manage authz for an externally authenticated user ?
Date Wed, 06 Aug 2008 12:15:53 GMT
On 8/6/08, Emmanuel Lecharny <> wrote:
> Hi guys,
> there is something puzzling me with the currrent SASL implementation we
> have. SASL can be used to allow a user to authenticate into ADS even if it
> is not defined and known by ADS. This is done through the EXTERNAL
> mechanism. That's all good.
> But now, my question is : how do we handle the authorization for an
> externally authenticated user ? Currently the ACDFs are evaluated
> considering that a user is described by a DN, which won't be the case for
> the EXTERNAL mechanism.

This is not true. According to RFC2829, the SASL EXTERNAL may be sent with
an authzId which must follow the following notation:

authzId = dnAuthzId / uAuthzId

; distinguished-name-based authz id.

dnAuthzId = "dn:" dn

dn = utf8string ; with syntax defined in RFC 2253

; unspecified userid, UTF-8 encoded.

uAuthzId = "u:" userid

userid = utf8string ; syntax unspecified

My understanding of the RFC is that the user/dn must be known of the DS, but
the authentication has been done at a lower layer (during the TLS
negotiation for example). By the way, the RFC states that if there has been
no way to perform the authentication at lower levels, then the bind MUST be
refused (RFC2829 Chap 8).

This extra authz is here in order to use a DN different that the one stored
in the client certificate used in the TLS nego.

According to the RFC, this mecanism is not quite open and cannot be used for



I would suggest that we define a virtual partition for such external users,
> where the user is defined as :
> cn=<user external name>, dc=external-user, ou=system, otherwise, I think we
> have to modify the whole authz mechanism.
> Did I missed something? thoughts ?
> PS : NTLM is currently defined as a standard mechanism, but can also be
> defined as External. There is currently _no_ documentation on the NTLM SASL
> mechanism available... We will keep the NTLM mechanism as not external atm,
> even if the authentication is done externally. It may evolves later
> --
> --
> cordialement, regards,
> Emmanuel Lécharny

La mélancolie c'est communiste
Tout le monde y a droit de temps en temps
La mélancolie n'est pas capitaliste
C'est même gratuit pour les perdants
La mélancolie c'est pacifiste
On ne lui rentre jamais dedans
La mélancolie oh tu sais ça existe
Elle se prend même avec des gants
La mélancolie c'est pour les syndicalistes
Il faut juste sa carte de permanent

Miossec (2006)
Mes CDs à récupérer:

View raw message