Forgot your password?
New user?
The Ticket-Granting Ticket
Document Actions
Authentication and authorization identifiers
Authentication and authorization identifiers
Next: Realms Up: SASL Previous: What SASL is
Authentication and authorization identifiers
An important concept to become familiar with is the difference between an "authorization identifier" and an "authentication identifier".
The transmitted authorization identity may be different than the identity in the client's authentication credentials. This permits agents such as proxy servers to authenticate using their own credentials, yet request the access privileges of the identity for which they are proxying. With any mechanism, transmitting an authorization identity of the empty string directs the server to derive an authorization identity from the client's authentication credentials.
- userid
- (user id, authorization id) The userid is the identifier an application uses to check allowable options. There might exist on the server, a user ``doe'' (account of John Doe) allowed to write to ``/home/doe'' and it's subdirectories but not to ``/etc''.
- authid
- (authentication id) The authentication identifier is the identifier that is being checked. "doe"'s password might be "grep45", and the system will authenticate anyone who knows "grep45" as "doe". However, it's possible to authenticate as one user but act as another user. For instance, John might be away on vacation and assign one of his assistant, Jane, to read his mail. He might then allow Jane to act as him merely by supplying her password and her id as authentication but requesting authorization as "doe". So Jane might log in with an authentication identifier of "jane" and an authorization id of "doe" and her own (Jane's) password. Anyone familiar with sudo, will see the similarity.
Next: Realms Up: SASL Previous: What SASL is
2005-05-04