[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin



At 03:35 PM 2002-06-13, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>> At 01:54 PM 2002-06-13, Howard Chu wrote:
>
>> okay, then maybe a "who be this?" operation (like whoami but
>> asks the question "what DN is associated with this (provided)
>> identity?".
>> 
>> >, so this isn't quite enough. How about a new control
>> >mapNameToDN that can accompany any operation, and causes the server to
>> >perform the SASL name mapping steps on the request's dn/basedn before
>> >handling the request?
>> 
>> Basically, you'd have a control which would contain an 
>> authentication or authorization identity (in authzid form).
>> The control should be marked critical and the base/target
>> DN should be empty.  Semantically, the DN associated with
>> the provided authzid is used as the base/target DN of the
>> operation.
>
>That sounds good to me. One more question in my mind; this feels like
>a control that the frontend should handle, but if we're operating thru a
>back-ldap proxy then I'd want to leave it for the backend. 

The control must be managed by the frontend (with calls into
backend as needed)... there's no DN.

>I presume since you say "in authzid form" that the name must have a "u:"
>or "dn:" prefix?

Yes.  But in this case, a simple username may be appropriate.