On 8/6/08, Emmanuel Lecharny <elecharny@gmail.com> wrote:
Hi guys,

there is something puzzling me with the currrent SASL implementation we have. SASL can be used to allow a user to authenticate into ADS even if it is not defined and known by ADS. This is done through the EXTERNAL mechanism. That's all good.

But now, my question is : how do we handle the authorization for an externally authenticated user ? Currently the ACDFs are evaluated considering that a user is described by a DN, which won't be the case for the EXTERNAL mechanism.
 
This is not true. According to RFC2829, the SASL EXTERNAL may be sent with an authzId which must follow the following notation:
 

authzId = dnAuthzId / uAuthzId

; distinguished-name-based authz id.

dnAuthzId = "dn:" dn

dn = utf8string ; with syntax defined in RFC 2253

; unspecified userid, UTF-8 encoded.

uAuthzId = "u:" userid

userid = utf8string ; syntax unspecified

My understanding of the RFC is that the user/dn must be known of the DS, but the authentication has been done at a lower layer (during the TLS negotiation for example). By the way, the RFC states that if there has been no way to perform the authentication at lower levels, then the bind MUST be refused (RFC2829 Chap 8).

This extra authz is here in order to use a DN different that the one stored in the client certificate used in the TLS nego.

According to the RFC, this mecanism is not quite open and cannot be used for SSO.

 

Regards

Jeff

 


I would suggest that we define a virtual partition for such external users, where the user is defined as :
cn=<user external name>, dc=external-user, ou=system, otherwise, I think we have to modify the whole authz mechanism.

Did I missed something? thoughts ?

PS : NTLM is currently defined as a standard mechanism, but can also be defined as External. There is currently _no_ documentation on the NTLM SASL mechanism available... We will keep the NTLM mechanism as not external atm, even if the authentication is done externally. It may evolves later

--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org





--
La mélancolie c'est communiste
Tout le monde y a droit de temps en temps
La mélancolie n'est pas capitaliste
C'est même gratuit pour les perdants
La mélancolie c'est pacifiste
On ne lui rentre jamais dedans
La mélancolie oh tu sais ça existe
Elle se prend même avec des gants
La mélancolie c'est pour les syndicalistes
Il faut juste sa carte de permanent

Miossec (2006)

http://www.jeffmaury.com
http://riadiscuss.jeffmaury.com
http://www.lastfm.fr/listen/user/jeffmaury/personal
Mes CDs à récupérer: http://spreadsheets.google.com/ccc?key=pNeg4Doa_oCsh7CepKPaPTA&hl=en