[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh



At 08:39 AM 6/19/2004, Pierangelo Masarati wrote:
>Kurt D. Zeilenga wrote:
>
>>At 06:14 AM 6/19/2004, Pierangelo Masarati wrote:
>> 
>>
>>>ando@OpenLDAP.org wrote:
>>>
>>>   
>>>
>>>>Added Files:
>>>>      test028-idassert  NONE -> 1.1
>>>>
>>>>     
>>>I just found out that native SASL authz doesn't work with CRAM-MD5,
>>>i.e. the bound identity remains that of the incoming authcDN;
>>>with DIGEST-MD5 the bound identity is turned into that of the authzDN
>>>specified via SASL.  I'm not sso familiar with SASL details, but I thought
>>>the authz did not depend on the specific mech.
>>>   
>>
>>Not all SASL mechanisms support proxy authorization...
>> 
>I guessed something like that, and I was going to look for a means to detect
>what mechs support it, because the idassert code currently assumes that when
>configured to use SASL method authz will be done natively by SASL.

I suggest you just hardcode it for DIGEST-MD5 (and skip if
not available).  Maybe support PLAIN as well (but you'll
have to configure both client & server to allow it without
TLS.