From 6fa30ec4b28db045e3bad00313f391811d1c53ad Mon Sep 17 00:00:00 2001 From: William Brown Date: Mar 01 2017 00:26:22 +0000 Subject: Ticket 48707 - Update rfc to accomodate that authid is mandatory Fix Description: authid in sasl is mandatory, so we should include this. https://pagure.io/389-ds-base/issue/48707 Author: wibrown Review by: mreynolds (Thanks!) --- diff --git a/rfcs/Makefile b/rfcs/Makefile index e868d38..31db4d4 100644 --- a/rfcs/Makefile +++ b/rfcs/Makefile @@ -1,5 +1,5 @@ -allrfcs: folders examplerfcs draft-wibrown-ldapssotoken-00 +allrfcs: folders draft-wibrown-ldapssotoken-00 folders: mkdir -p txt diff --git a/rfcs/src/draft-wibrown-ldapssotoken-00.xml b/rfcs/src/draft-wibrown-ldapssotoken-00.xml index c503744..24cdf0f 100644 --- a/rfcs/src/draft-wibrown-ldapssotoken-00.xml +++ b/rfcs/src/draft-wibrown-ldapssotoken-00.xml @@ -1,6 +1,7 @@ @@ -15,7 +16,7 @@ - + @@ -90,7 +91,7 @@ - + General @@ -235,6 +236,9 @@ Date Time Until || User Unique Id The acquisition method for the token is discussed in section XXX. For authentication, the client MUST send the token as it was received. IE changes to formatting are not permitted. + The client MUST send the an appropriate authid in RFC 2078 + form. This authid MUST internally match the User Unique Id in the token. The server + is responsible for this validation. The client MAY transform the token if acting in a proxy fashion. However this transformation must be deterministic and able to be reversed to satisfy the previous requirement. @@ -276,6 +280,8 @@ Date Time Until || User Unique Id
The client issues a SASL bind request with the mechanism name LDAPSSOTOKEN. + The client sends an appropriate authid in RFC 2078 + form. The client provides the encrypted token that was provided in the LDAPSSOTokenResponse Token Field. The token is decrypted and authenticated based on the token @@ -296,6 +302,10 @@ Date Time Until || User Unique Id invalidCredentials MUST be returned. The User Unique Id is validated to exist on the server. If the User Unique Id does not exist, invalidCredentials MUST be returned. + The authid provided by the SASL client is verified with the User Unique Id. For example + if the authid is william@EXAMPLE.COM, the server maps this to an identity. Once this + identity is validated, the identity is check to match the User Unique Id. If they do not + match, the authentication MUST fail. The DateTimeIssued field is validated against the User Unique Id object's attribute or related attribute that contains "Valid Not Before". If the value of "Valid Not Before" exceeds or is equal to DateTimeIssued, @@ -414,6 +424,8 @@ LDAPSSOTokenResponse ::= SEQUENCE { + &RFC2078; + &RFC2222; &RFC4511;