directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject [SASL][external authent] How do we manage authz for an externally authenticated user ?
Date Wed, 06 Aug 2008 08:20:04 GMT
Hi guys,

there is something puzzling me with the currrent SASL implementation we 
have. SASL can be used to allow a user to authenticate into ADS even if 
it is not defined and known by ADS. This is done through the EXTERNAL 
mechanism. That's all good.

But now, my question is : how do we handle the authorization for an 
externally authenticated user ? Currently the ACDFs are evaluated 
considering that a user is described by a DN, which won't be the case 
for the EXTERNAL mechanism.

I would suggest that we define a virtual partition for such external 
users, where the user is defined as :
 cn=<user external name>, dc=external-user, ou=system, otherwise, I 
think we have to modify the whole authz mechanism.

Did I missed something? thoughts ?

PS : NTLM is currently defined as a standard mechanism, but can also be 
defined as External. There is currently _no_ documentation on the NTLM 
SASL mechanism available... We will keep the NTLM mechanism as not 
external atm, even if the authentication is done externally. It may 
evolves later

-- 
--
cordialement, regards,
Emmanuel L├ęcharny
www.iktek.com
directory.apache.org



Mime
View raw message