Technical Summary
This document describes a mechanism for Lightweight Directory
Access Protocol (LDAP) clients to obtain the authorization identity
the server uses for them. This mechanism, called "Who am I"
which the server has associated with the user or application entity.
This replaces the AUTHCTL mechanism, which uses Bind request and
response controls to request and return the authorization identity.
Bind controls are not protected by the security layers established by the
Bind operation which they are transferred as part of. An extended operation sent after a Bind operation is protected by the security layers established by the Bind operation.
This mechanism will also be used in cases where the
authorization identity is requested seperately from the Bind operation.
For example, the "Who am I?" operation can be augmented with a Proxied
Authorization Control [PROXYCTL] to determine the authorization identity
which the server associates with the identity asserted in the Proxied Authorization
Control. The "Who am I?" operation can also be used prior to the Bind
operation.
Working Group Summary
This was not a WG document, but has been discussed on various
mailing lists (LDAPEXT, LDAPBIS, etc.) The only issue raised during
last call was whether this was suffciently distinguished from
draft-weltman-ldapv3-auth-response-09.txt, and this issue has been
resolved.
Protocol Quality
This document has been reviewed for the IESG by Ted Hardie.