>>On Mon, February 14, 2005 4:42 pm, Faltermier, David (HP Directory) said: >> A question about Net::LDAP::Control::ProxyAuth... >> >> I noticed that the OID used for the proxyAuth control is rather old. >> According to >> http://search.cpan.org/src/GBARR/perl-ldap-0.3202/lib/Net/LDAP/Constant. >> pm >> the OID for the ProxyAuth control is: >> LDAP_CONTROL_PROXYAUTHENTICATION (2.16.840.1.113730.3.4.12) >> Should this be updated with the more recent OID of >> '2.16.840.1.113730.3.4.18' (draft-weltman-ldapv3-proxy-12.txt)?
>We probably need to support both, reading >http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.12.html >http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.18.html > >They are supported by different versions of the server. > >So Net::LDAP::Control::ProxyAuth needs to be updated to take a version >parameter and use the correct OID. > >Thanks, >Graham. Graham, et. al., I have done a little more digging around in this area. I think more work may be necessary than just adding a version parameter. Let me show you what I found by including some snippets from the weltman drafts that describe the changes to the proxyAuth control value between [draft] versions -05 and -12. ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-05) http://www.watersprings.org/pub/id/draft-weltman-ldapv3-proxy-05.txt ----------------------------------------------------------------------- I've included sections 3 and 12.2 below which best summarize the control value. 3. Proxied Authorization Control proxyAuthControl ::= SEQUENCE { controlType 2.16.840.1.113730.3.4.12, criticality BOOLEAN DEFAULT FALSE, controlValue proxyAuthValue } The controlValue contains the BER encoding of a DN used for evaluating the requested rights: proxyAuthValue::= SEQUENCE { proxyDN LDAPDN } It is represented as a Sequence in order to allow future extensions. 12.2 Control envelope Rather than containing an LDAPDN as the Control value, the Control contains a Sequence (which contains an LDAPDN). This is to provide for future extensions. ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-12) http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-12.txt ----------------------------------------------------------------------- I've included section 3 below which best summarizes the control value. 3. Proxy Authorization Control The controlType of the proxy authorization control is "2.16.840.1.113730.3.4.18". The controlValue SHALL be present and contain either an authzId [AUTH] representing the authorization identity for the request or empty if an anonymous association is to be used. RFC 2829 http://www.ietf.org/rfc/rfc2829.txt ----------------------------------- The [AUTH] reference above refers to RFC 2829, section 9. Here's the relevant parts: 9. Authorization Identity (...clipped for brevity...) The authorization identity is a string in the UTF-8 character set, corresponding to the following ABNF [7]: authzId = dnAuthzId / uAuthzId ; distinguished-name-based authz id. dnAuthzId = "dn:" dn dn = utf8string ; with syntax defined in RFC 2253 ; unspecified userid, UTF-8 encoded. uAuthzId = "u:" userid userid = utf8string ; syntax unspecified All servers which support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice. So, there does appear to be a major change in the packaging of the proxyAuth control value between the two Weltman drafts (-05 and -12); thus explaining the OID version change. Changes to PERL-LDAP? --------------------- I am assuming that your suggestion to add a version parameter to Net::LDAP::Control::ProxyAuth::new() would look something like: my $auth = Net::LDAP::Control::ProxyAuth->new( proxyDN => 'cn=me,ou=people,o=myorg.com', version => 2, # OID 2.16.840.1.113730.3.4.18 ); However, it appears more than this will be needed. The new proxyAuth control requires an authzId value as specified by RFC 2829. This will mean a couple things: 1. AuthzId's other than a DN may be specified. Currently, two are defined by RFC2829: (1) dnAuthzId, and (2) uAuthzId. Therefore, the 'proxyDN' named parameter is probably a misnomer and may need to be replaced with something less "DN" specific. Perhaps 'proxyID'? 2. The authzId chosen by the user must include the correct "dn:" or "u:" prefix, something not currently required. Adding just a version parameter will not account for the necessary proxyDN parameter changes. Perhaps a new [backward compatible] interface might look something like this: # New interface for Version 2. # (The new interface assumes version 2 to be the default.) my $auth = Net::LDAP::Control::ProxyAuth->new( proxyID => 'dn:cn=me,ou=people,o=myorg.com', # dnAuthzId or uAuthzId version => 2, # Optional. Default. OID 2.16.840.1.113730.3.4.18 ); # New interface for Version 1. my $auth = Net::LDAP::Control::ProxyAuth->new( proxyID => 'cn=me,ou=people,o=myorg.com', # DN version => 1, # OID 2.16.840.1.113730.3.4.12 ); # For backward compatibility with version 1. # Note: Use of named parameter 'proxyDN' assumes version 1 # (OID 2.16.840.1.113730.3.4.12). my $auth = Net::LDAP::Control::ProxyAuth->new( proxyDN => 'cn=me,ou=people,o=myorg.com', ); The interface changes suggested above should not break anyone's current usage of Net::LDAP::Control::ProxyAuth. Of course, there are other interface options. -David
