[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp without SASL

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: authz-regexp without SASL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 02 Jul 2005 10:58:04 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <hbf.20050702mpj7@bombur.uio.no>
References: <hbf.20050701vb7g@bombur.uio.no> <6.2.1.2.0.20050701142616.0b6afdb8@mail.openldap.org> <hbf.20050702mpj7@bombur.uio.no>

At 09:01 AM 7/2/2005, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>>At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>>> authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>>> I note it was called sasl-regexp before.
>>
>> Yes, because it was originally just for mapping SASL authorization
>> identities.  Now it can map some additional authorization
>> identities, such when using the proxied authorization control.
>>
>>> Will it be changed to work for Simple Bind?
>>
>> Well, it could be changed to map the authenticated
>> identity, which normally becomes the authorization
>> identity, to some other authorization identity.
>> One likely could do that with an overlay.
>
>OK.  But then the doc should be changed to say when authz-regexp
>is used.  The current doc gives the impression that it always is.

Personally, I have no problem with apply authzid-regexp
to the authenticated (*) simple bind DN here.   This, in
some odd way, make the feature more symetric.  That is, DNs
produced via both SASL bind and simple bind would be
mappable.

One use I can see is where one has one backend providing
authentication information and one backend providing the
user's person object and one wants to use the DN of the
person object as the authorization identity.

(* mapping the the simple bind DN prior to authentication
should be done via other means)

>>>   authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>>> does not let anyone log in with my password and access:-)
>>
>> Wouldn't this mean that any authenticated user would be act
>> as "uid=hbf,cn=people,dc=uio,dc=no" authorization identity?
>
>Ah.  I got confused by "Used by the authentication framework" in
>the doc.  Maybe that should be "by the authorization framework"?

I think the authentication framework as encompassing establishment
of the identity to use in authorization decisions.  While these
decisions take place within an authorization framework, mapping
of authentication identities to authorization identities
takes place within the authentication framework. 

There might be some confusion by the use of the word
"simple" in "simple user names".  It's not intended to refer
to simple bind user names but to user names of uAuthzid's
userid form [RFC2829] (after they have been mapped into
a DN).

But I agree that the text needs some work...

Kurt

References:
- authz-regexp without SASL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authz-regexp without SASL
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: authz-regexp without SASL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: authz-regexp without SASL
Next by Date: Slurp One Shot
Index(es):
- Chronological
- Thread