We probably need to support both, reading http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.12.html http://www.alvestrand.no/objectid/2.16.840.1.113730.3.4.18.html
They are supported by different versions of the server.
So Net::LDAP::Control::ProxyAuth needs to be updated to take a version parameter and use the correct OID.
Graham, et. al.,
I have done a little more digging around in this area. I think more work
may be necessary than just adding a version parameter. Let me show you
what I found by including some snippets from the weltman drafts that
describe the changes to the proxyAuth control value between [draft]
versions -05 and -12.
Thanks. Time has been short for me recently as I have been moving into a new house. nearly 4 months in temporary living with all you belongings in storage is not fun. But now I am in my house and have broadband access once again.
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-05)<snip>
http://www.watersprings.org/pub/id/draft-weltman-ldapv3-proxy-05.txt
-----------------------------------------------------------------------
I've included sections 3 and 12.2 below which best summarize the control
value.
<snip>proxyAuthValue::= SEQUENCE { proxyDN LDAPDN }
ProxyAuthorization Control (as defined by draft-weltman-ldapv3-proxy-12)
http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-12.txt
-----------------------------------------------------------------------
I've included section 3 below which best summarizes the control value.
3. Proxy Authorization Control
The controlType of the proxy authorization control is "2.16.840.1.113730.3.4.18".
The controlValue SHALL be present and contain either an authzId
[AUTH] representing the authorization identity for the request or
empty if an anonymous association is to be used.
RFC 2829 http://www.ietf.org/rfc/rfc2829.txt ----------------------------------- The [AUTH] reference above refers to RFC 2829, section 9. Here's the relevant parts:
9. Authorization Identity
(...clipped for brevity...) The authorization identity is a string in the UTF-8 character set, corresponding to the following ABNF [7]:
authzId = dnAuthzId / uAuthzId
; distinguished-name-based authz id. dnAuthzId = "dn:" dn dn = utf8string ; with syntax defined in RFC 2253
; unspecified userid, UTF-8 encoded. uAuthzId = "u:" userid userid = utf8string ; syntax unspecified
All servers which support the storage of authentication credentials, such as passwords or certificates, in the directory MUST support the dnAuthzId choice.
So, there does appear to be a major change in the packaging of the proxyAuth control value between the two Weltman drafts (-05 and -12); thus explaining the OID version change.
OK. Actually this makes it even easier. We do not need the version parameter. The user should be able to provide one of proxyDN or AuthzId and the module will use the correct OID.
We could even split AuthzId into uAuthzId and dnAuthzId and have the module add the correct prefix.
The real question is what we do in ::Constant. Do we have both or, as the old one is out dated, just have the new OID and the control module has the OID in it directly. ie Do we want the user to have access to both as constants or just the latest. Personally I am leaning towards just the latest but that would break any script which used the constant directly instead of via the Control module.
Changes to PERL-LDAP? --------------------- I am assuming that your suggestion to add a version parameter to Net::LDAP::Control::ProxyAuth::new() would look something like:
my $auth = Net::LDAP::Control::ProxyAuth->new( proxyDN => 'cn=me,ou=people,o=myorg.com', version => 2, # OID 2.16.840.1.113730.3.4.18 );
It was, but I think you showed me there is a better way :-)
Now my suggestion is
# New interface for Version 1.
my $auth = Net::LDAP::Control::ProxyAuth->new(
proxyID => 'cn=me,ou=people,o=myorg.com', # DN
);
ie, no change
And for version 2
# New interface for Version 2.
my $auth = Net::LDAP::Control::ProxyAuth->new(
AuthzID => 'dn:cn=me,ou=people,o=myorg.com', # DN
);
Comments ?
Graham.
