[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back-sock and Proxy Authz or SASL Authz-Name
- To: openldap-software@OpenLDAP.org
- Subject: back-sock and Proxy Authz or SASL Authz-Name
- From: Michael Ströder <michael@stroeder.com>
- Date: Fri, 04 Dec 2009 17:07:22 +0100
- User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.23) Gecko/20090823 SeaMonkey/1.1.18
HI!
We a currently testing a custom OpenLDAP setup where specific modify requests
are handled via back-sock (redirected via slapo-rwm) by a handler implemented
in Python. These modify requests are checked and then passed to the real
database backend (back-hdb) on behalf of the user bound to slapd. This works
by looking at the line (binddn: ) passed to the handler by back-sock.
But now there's requirement for proxy authorization. The web application binds
via SASL bind DIGEST-MD5 and explicitly sets the authzid in the SASL bind
request which is mapped via authz-regexp to an authz-DN. This setup seems to
work (tested with commandline-tool ldapwhoami -X authzid) but the authz-DN is
not passed to the back-sock handler. binddn: still contains the bind-DN of the
web application.
Is this feasible at all? If not which parts of back-sock would have to be
patched to make that work?
Ciao, Michael.