On 8/6/08, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote: > > Hi guys, > > there is something puzzling me with the currrent SASL implementation we > have. SASL can be used to allow a user to authenticate into ADS even if it > is not defined and known by ADS. This is done through the EXTERNAL > mechanism. That's all good. > > But now, my question is : how do we handle the authorization for an > externally authenticated user ? Currently the ACDFs are evaluated > considering that a user is described by a DN, which won't be the case for > the EXTERNAL mechanism.
This is not true. According to RFC2829, the SASL EXTERNAL may be sent with an authzId which must follow the following notation: authzId = dnAuthzId / uAuthzId ; distinguished-name-based authz id. dnAuthzId = "dn:" dn dn = utf8string ; with syntax defined in RFC 2253 ; unspecified userid, UTF-8 encoded. uAuthzId = "u:" userid userid = utf8string ; syntax unspecified My understanding of the RFC is that the user/dn must be known of the DS, but the authentication has been done at a lower layer (during the TLS negotiation for example). By the way, the RFC states that if there has been no way to perform the authentication at lower levels, then the bind MUST be refused (RFC2829 Chap 8). This extra authz is here in order to use a DN different that the one stored in the client certificate used in the TLS nego. According to the RFC, this mecanism is not quite open and cannot be used for SSO. Regards Jeff I would suggest that we define a virtual partition for such external users, > where the user is defined as : > cn=<user external name>, dc=external-user, ou=system, otherwise, I think we > have to modify the whole authz mechanism. > > Did I missed something? thoughts ? > > PS : NTLM is currently defined as a standard mechanism, but can also be > defined as External. There is currently _no_ documentation on the NTLM SASL > mechanism available... We will keep the NTLM mechanism as not external atm, > even if the authentication is done externally. It may evolves later > > -- > -- > cordialement, regards, > Emmanuel Lécharny > www.iktek.com > directory.apache.org > > > -- La mélancolie c'est communiste Tout le monde y a droit de temps en temps La mélancolie n'est pas capitaliste C'est même gratuit pour les perdants La mélancolie c'est pacifiste On ne lui rentre jamais dedans La mélancolie oh tu sais ça existe Elle se prend même avec des gants La mélancolie c'est pour les syndicalistes Il faut juste sa carte de permanent Miossec (2006) http://www.jeffmaury.com http://riadiscuss.jeffmaury.com http://www.lastfm.fr/listen/user/jeffmaury/personal Mes CDs à récupérer: http://spreadsheets.google.com/ccc?key=pNeg4Doa_oCsh7CepKPaPTA&hl=en
