[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL bind: no authcid->DN conversion - group ACLs do not work (ITS#891)

On Wed, Nov 15, 2000 at 11:40:22AM -0500, Mark Adamson wrote:

> OK, I thought this was for Joe User running ldapsearch or somesuch. It is
> an interesting problem, telling each client how to obtain the SASL name
> and map it to a DN. The SASL name can be had from sasl_getprop(), but that
> will not be available at the time of first calling the bind, only
> afterwards. 

As I understand the current code it is enough if this information is
available when the SASL bind is finished, so it should not be a problem.

> What you want, and it sure sounds dandy, is to be able to send a SASL
> authorize request with the bind, saying authorize to something like
> "cn=self,cn=authz", and have the server use it's SASL regexp code to
> generate the user's DN based on the SASL name it has. That way, the
> rules for converting usernames to DN's is stored on the server, and each
> client need not be taught the rules.

Exactly. The less the client needs to know about the whole process is
the best. A "smart server setup, dumb clients" environment is much easier
to build up than a "not-so-smart server and smart clients" environment.


Gabor Gombas                                       Eotvos Lorand University
E-mail: gombasg@inf.elte.hu                        Hungary