[Fedora-directory-users] Re:Certificate authentication with SASL External
Howard Chu
hyc at symas.com
Wed Feb 8 02:16:19 UTC 2006
>
> From: David Boreham <david_list at boreham.org>
>
>> > Remember that authentication is not the same as authorization - having
>> > the valid certificate just proves who you are to the server; the
>> > server doesn't have to accord you any privileges/authorization just
>> > because of that.
>>
>
> Correct, but the OP _wanted_ to make an authorization decision for this
> identity, not just perform authentication.
>
Yes, I'm sure eventually the OP would want to make an authorization
decision, but their complaint showed that they weren't even able to get
past authentication. The fact that FDS doesn't support distributed
authentication makes the authorization question a bit moot.
> I think what he wants is to be able to use the subject DN in the
> client's cert
> directly as the bind identity for access control purposes. This isn't
> supported.
> Not because the original developers missed some grand X.500 vision, but
> because
> nobody needed to do that (and haven't for 10 years, until now...).
Personal experience tells me that many people have needed distributed
authentication in the past 10 years, and it's been used extensively in
OpenLDAP for the past 6 or so. The folks who designed LDAP plainly
didn't consider it, just as they didn't consider the majority of the
implications of true distributed operation.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the 389-users
mailing list