[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8560) Proxy Authorization is mentioned as a SASL mech

Hi Quanah,

> Thanks for the report.  However, the EXTERNAL mechanism is in fact a
> SASL mechanism, just implemented directly in OpenLDAP (vs other SASL
> mechanisms that OpenLDAP supports via Cyrus-SASL).  The location in
> the admin guide is correct.

Yes, thanks, Howard also pointed that out, and I learnt.

>   If you read RFC 4370, Section 1 clearly notes that it is a part of
> "The Lightweight Directory Access
>   Protocol [LDAPV3] supports the use of the Simple Authentication and
>   Security Layer [SASL] for authentication and for supplying an
>   authorization identity distinct from the authentication identity,
>   where the authorization identity applies to the whole LDAP session."

Ehm, it doesn't actually state that Proxied Authz is part of SASL.  It
just continues to state that it is on a per-operation basis, and to me
it reads like an independent mechanism, at least as far as the protocol
is concerned.  Although it can be easily imagined that it were to share
(lots of) code with SASL EXTERNAL of course, but that would be an
implementation choice.  Or am I still not reading it correctly?

This is in fact what I was looking for; whether OpenLDAP supports this
per-operation Proxy Authz Control.  Aside from the above being properly
located, I am still missing a remark about it in the Manual.