[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)

To: openldap-its@OpenLDAP.org
Subject: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
From: igor@ipass.net
Date: Sat, 13 Dec 2003 20:52:06 GMT

On Sat, 13 Dec 2003, Pierangelo Masarati wrote:

> > The parsing of authzid works as expected, however slap_sasl_getdn()
> > generates DN of the uid=<userid>,cn=<realm),cn=auth form, rather than
> > uid=<userid>,cn=<realm>,cn=<mech>,cn=auth.  This causes problems with
> > existing sasl-regexps which expect <mech> in place of <realm> as
> > described in slapd.conf.  I hope this explains better.  It seems to me
> > the internal sasl operation does not require mech, therefore
> > slap_sasl_getdn()  cannot set cn=<mech> properly in the sasl DN.
>
> I need to correct myself.  The code should use the same mech
> that was used to authenticate the authc id; apparently, a simple
> bind took place instead of a sasl bind.  I wonder i this is
> the correct behaviour, though.  In fact, I'm not sure it is
> correct that the authz id inherits the same mec of the authc id,
> because another operation (the proxyAuthz) intercurred.
> As such, we could add the "authz" mechanism to the sasl id,
> at least if none is present.
>
> In any case, you shuld check whether a sasl bind takes place.
>

It does use sasl bind.  In my case I used digest-md5.

-- 
Igor

Prev by Date: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
Next by Date: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
Index(es):
- Chronological
- Thread