directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject [SASL][external authent] How do we manage authz for an externally authenticated user ?
Date Wed, 06 Aug 2008 08:20:04 GMT
Hi guys,

there is something puzzling me with the currrent SASL implementation we 
have. SASL can be used to allow a user to authenticate into ADS even if 
it is not defined and known by ADS. This is done through the EXTERNAL 
mechanism. That's all good.

But now, my question is : how do we handle the authorization for an 
externally authenticated user ? Currently the ACDFs are evaluated 
considering that a user is described by a DN, which won't be the case 
for the EXTERNAL mechanism.

I would suggest that we define a virtual partition for such external 
users, where the user is defined as :
 cn=<user external name>, dc=external-user, ou=system, otherwise, I 
think we have to modify the whole authz mechanism.

Did I missed something? thoughts ?

PS : NTLM is currently defined as a standard mechanism, but can also be 
defined as External. There is currently _no_ documentation on the NTLM 
SASL mechanism available... We will keep the NTLM mechanism as not 
external atm, even if the authentication is done externally. It may 
evolves later

cordialement, regards,
Emmanuel L├ęcharny

View raw message