there is something puzzling me with the currrent SASL implementation we have. SASL can be used to allow a user to authenticate into ADS even if it is not defined and known by ADS. This is done through the EXTERNAL mechanism. That's all good.
But now, my question is : how do we handle the authorization for an externally authenticated user ? Currently the ACDFs are evaluated considering that a user is described by a DN, which won't be the case for the EXTERNAL mechanism.
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id.
dnAuthzId = "dn:" dn
dn = utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded.
uAuthzId = "u:" userid
userid = utf8string ; syntax unspecified
My understanding of the RFC is that the user/dn must be known of the DS, but the authentication has been done at a lower layer (during the TLS negotiation for example). By the way, the RFC states that if there has been no way to perform the authentication at lower levels, then the bind MUST be refused (RFC2829 Chap 8).
This extra authz is here in order to use a DN different that the one stored in the client certificate used in the TLS nego.
According to the RFC, this mecanism is not quite open and cannot be used for SSO.
I would suggest that we define a virtual partition for such external users, where the user is defined as :
cn=<user external name>, dc=external-user, ou=system, otherwise, I think we have to modify the whole authz mechanism.
Did I missed something? thoughts ?
PS : NTLM is currently defined as a standard mechanism, but can also be defined as External. There is currently _no_ documentation on the NTLM SASL mechanism available... We will keep the NTLM mechanism as not external atm, even if the authentication is done externally. It may evolves later