[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL support in back-ldap & back-meta (ITS#3022)

Actually, I'm not sure this can be done; on the other hand, back-ldap
already supports the proxyAuthz control, which is purposely intended to
allow auth propagation between DSAs.  Could this be of use?  To exploit
it, the remote server must support  the control as well, and back-ldap
needs to be compiled with the LDAP_BACK_PROXY_AUTHZ macro defined.  Don't
know anything about AD support for this control, though.

For explicit referral chansing, back-ldap supports proxy chaining,
again via proxyAuthz control.  I suppose proxyAuthz is intended
to become the standard way to propagate authids in a controlled manner.

To use it, you need to compile back-ldap by --enable-ldap; then add to any
database the following directives:

overlay chain
uri ldap://<referred hostport>/

and anything else you might need.  I'm still playing with it, I might
write a FAQ if I get to something.

Of course, for your purpose, back-ldap should allow SASL bind for the
rootdn, or other administrative users, while now only simple bind can be
used.  I have no idea how practical this would be.


Pierangelo Masarati