Hi guys,
there is something puzzling me with the currrent SASL implementation we
have. SASL can be used to allow a user to authenticate into ADS even if
it is not defined and known by ADS. This is done through the EXTERNAL
mechanism. That's all good.
But now, my question is : how do we handle the authorization for an
externally authenticated user ? Currently the ACDFs are evaluated
considering that a user is described by a DN, which won't be the case
for the EXTERNAL mechanism.
I would suggest that we define a virtual partition for such external
users, where the user is defined as :
cn=<user external name>, dc=external-user, ou=system, otherwise, I
think we have to modify the whole authz mechanism.
Did I missed something? thoughts ?
PS : NTLM is currently defined as a standard mechanism, but can also be
defined as External. There is currently _no_ documentation on the NTLM
SASL mechanism available... We will keep the NTLM mechanism as not
external atm, even if the authentication is done externally. It may
evolves later
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
