this draft is really interesting and indeed provides a solution when no
Kerberos is available.
I was wondering if we could not get quite same behavior with proxy
authentication and standard single-sign on mechanisms: the user is known
by the web application trough token (JWT or whatever) and then the web
application authenticates for this user using LDAP proxy authz.
Other remark, you don't give any hint on how the LDAP server should
manage its token database. Maybe it is intended as each LDAP server
should implement its own way, but we may think of standard LDAP objects
that could be used to manage these tokens directly in LDAP, instead of
using a separate database?
Consultant en logiciels libres, Expert infrastructure et sécurité
On Mon, 2016-09-05 at 08:35 +1000, William Brown wrote:
> I would like to ask for feedback on the submission
> draft-wibrown-ldapssotoken . Section 5 deals with the ldap components
> of the implementation.
> Thank you for your time and advice,
>  https://datatracker.ietf.org/doc/draft-wibrown-ldapssotoken/
This has been updated with feedback some time ago. I would appreciate
further comment and review,