Quanah Gibson-Mount wrote:
I've finally gotten to the point where I would like to start testing
back-ldap with SASL.
One of my initial concerns in reading the man page in 2.3.1 alpha is
that the acl-authcDN that is used to query the ACL's from the target
server appears to only support simple binds. In Stanford's
environment, we don't support simple binds at all, which means I have
no way of letting back-ldap (or back-meta) query the target server for
the ACL information.
However, I understand my reading of this may be entirely incorrect,
and that there is a way to set the acl-authcDN and combine that with
the idassert feature so that a SASL mech can be used to do the bind
to the target server for ACL information. Can you let me know if I'm
incorrect in my assumption on the simple bind?
In short, currently acl-authcDN only does simple bind; I was planning to
port the SASL stuff of idassert to it, but I havent' done it yet, and I
don't think I'll do shortly, essentially because I'd like first to merge
the identity configuration stuff with back-config's, since there might be
a lot of commonality. If you want to play with SASL auth for back-ldap,
I could prepare a quick fix, so that you can start and see if it fits
your needs (I have no idea whether the idassert SASL authc works with
GSSAPI).