[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6817) idassert-bind with SASL issues

Full_Name: Pierangelo Masarati
Version: HEAD/re24
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

When idassert-bind is configured to use SASL bind, an "authcID" needs to be
provided, while the "binddn" is not needed.  However, if a "binddn" is not
provided as well, in some cases the proxiedAuthz control may be used
incorrectly.  The need to configure the "binddn" is not documented, so this ITS
is minimally addressed by documenting this requirement.

If the "binddn" is provided, everything works as expected, with the only minor
issue that the DN of the user as it is known to back-meta may not match the
actual identity the "authcID" assumed on the remote server.  The "right" way to
address this problem consists in performing a "WhoAmI" (RFC 4532) right after
the bind, or better use a "authorization identity control" (RFC 3829) along with
the bind operation.  Both approaches should be implemented, but they should not
be used unless explicitly requested.