[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL authentication for OpenLDAP (ITS#477)
Mark,
I took a moment to do a brief scan... here are a few additional
comments:
Command Line Args:
(Note my previous reply as far as choice of characters to use)
The Authorization Identity may or may not be a DN.
ldapsearch.c
s/authzdn/authzid/
ldap.h: ldap_negotiated_sasl_bind()
should not eliminate binddn as argument. routine should
independent specification of bindDN, authcId, and authzId.
Note: it usually for bind == NULL and authzId is often
NULL, but authcId is rarely NULL.
should remove if(!authzId) authzId = authcId statement,
an empty authzId field should be sent instead.
options.c:
change should be extraneous
sasl.c
don't remove param error detection
s/"ldapserver"/"ldap"/ ("ldap" is the registered service name).
don't use gethostbyname(). Instead use addresses of established
connection. [This may require establishment of connection, we need
to add Wes's ldap_delayed_open() code from 1.2, it's more straight
forward than devel delayed open code].
server:
The sasl_bind() call should to be moved to the frontend...
[I've been meaning on doing this, just haven't had time]
I also think we need to further discuss appropriate separation
of authentication identities, authorization identities, and
subject DN (for ACLs).