Request for feedback: draft-wibrown-ldapssotoken

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Request for feedback: draft-wibrown-ldapssotoken

William Brown
Hi,

I would like to ask for feedback on the submission
draft-wibrown-ldapssotoken [0]. Section 5 deals with the ldap components
of the implementation.

Thank you for your time and advice,

[0] https://datatracker.ietf.org/doc/draft-wibrown-ldapssotoken/

--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

_______________________________________________
Ldapext mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/ldapext

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Request for feedback: draft-wibrown-ldapssotoken

Clément OUDOT


Le 05/09/2016 à 00:35, William Brown a écrit :

> Hi,
>
> I would like to ask for feedback on the submission
> draft-wibrown-ldapssotoken [0]. Section 5 deals with the ldap components
> of the implementation.
>
> Thank you for your time and advice,
>
> [0] https://datatracker.ietf.org/doc/draft-wibrown-ldapssotoken/
>

Hi,

this draft is really interesting and indeed provides a solution when no
Kerberos is available.

I was wondering if we could not get quite same behavior with proxy
authentication and standard single-sign on mechanisms: the user is known
by the web application trough token (JWT or whatever) and then the web
application authenticates for this user using LDAP proxy authz.

Other remark, you don't give any hint on how the LDAP server should
manage its token database. Maybe it is intended as each LDAP server
should implement its own way, but we may think of standard LDAP objects
that could be used to manage these tokens directly in LDAP, instead of
using a separate database?

Regards,

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux

_______________________________________________
Ldapext mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/ldapext
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Request for feedback: draft-wibrown-ldapssotoken

William Brown
In reply to this post by William Brown
On Mon, 2016-09-05 at 08:35 +1000, William Brown wrote:
> Hi,
>
> I would like to ask for feedback on the submission
> draft-wibrown-ldapssotoken [0]. Section 5 deals with the ldap components
> of the implementation.
>
> Thank you for your time and advice,
>
> [0] https://datatracker.ietf.org/doc/draft-wibrown-ldapssotoken/


Hi,

This has been updated with feedback some time ago. I would appreciate
further comment and review,

https://tools.ietf.org/html/draft-wibrown-ldapssotoken-01


--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane

_______________________________________________
Ldapext mailing list
[hidden email]
https://www.ietf.org/mailman/listinfo/ldapext

signature.asc (853 bytes) Download Attachment
Loading...