On Feb 2, 2007, at 9:06 AM, Dave Cridland wrote:
In practise, they're really only distinct namespaces in LDAP.
and, in LDAP, they generally should not match... if they do, it's likely better not to send the authzid (to avoid sending a malformed LDAP authzId). The only (rare) case where this would be bad is when !strcmp(authcid,authzid) but USER(authcid) != USER(authzid). That is, authcid="u:foo", authzid="u:foo", but the user represented by the authcid is not the same as the user represented by the authzid. -- Kurt
