Re: commit: ldap/tests/scripts test028-idassert conf.sh

[Pierangelo Masarati <ando@sys-net.it>]

Quanah Gibson-Mount wrote:

> I've finally gotten to the point where I would like to start testing 
> back-ldap with SASL.
>
> One of my initial concerns in reading the man page in 2.3.1 alpha is 
> that the acl-authcDN that is used to query the ACL's from the target 
> server appears to only support simple binds.  In Stanford's 
> environment, we don't support simple binds at all, which means I have 
> no way of letting back-ldap (or back-meta) query the target server for 
> the ACL information.
>
> However, I understand my reading of this may be entirely incorrect, 
> and that there is a way to set the acl-authcDN and combine that with 
> the idassert feature  so that a SASL mech can be used to do the bind 
> to the target server for ACL information.  Can you let me know if I'm 
> incorrect in my assumption on the simple bind?


In short, currently acl-authcDN only does simple bind; I was planning to 
port the SASL stuff of idassert to it, but I havent' done it yet, and I 
don't think I'll do shortly, essentially because I'd like first to merge 
the identity configuration stuff with back-config's, since there might 
be a lot of commonality.  If you want to play with SASL auth for 
back-ldap, I could prepare a quick fix, so that you can start and see if 
it fits your needs (I have no idea whether the idassert SASL authc works 
with GSSAPI).

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497