[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL support in back-ldap & back-meta (ITS#3022)

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of ando@sys-net.it

> Actually, I'm not sure this can be done; on the other hand, back-ldap
> already supports the proxyAuthz control, which is purposely
> intended to
> allow auth propagation between DSAs.  Could this be of use?
> To exploit
> it, the remote server must support  the control as well, and back-ldap
> needs to be compiled with the LDAP_BACK_PROXY_AUTHZ macro
> defined.  Don't
> know anything about AD support for this control, though.

Right, the strong authentication mechanisms cannot be transparently
propagated. However, for the SASL mechs that use in-directory passwords,
back-ldap can supply them as well as any other backend.

> Of course, for your purpose, back-ldap should allow SASL bind for the
> rootdn, or other administrative users, while now only simple
> bind can be
> used.  I have no idea how practical this would be.

I think the only thing we could add here is SASL Binds for the
rootdn/administrative user.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support