[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication for OpenLDAP (ITS#477)



Mark,

I took a moment to do a brief scan... here are a few additional
comments:

Command Line Args:
  (Note my previous reply as far as choice of characters to use)
  The Authorization Identity may or may not be a DN.

ldapsearch.c
  s/authzdn/authzid/

ldap.h: ldap_negotiated_sasl_bind()
  should not eliminate binddn as argument.  routine should
  independent specification of bindDN, authcId, and authzId.
  Note: it usually for bind == NULL and authzId is often
  NULL, but authcId is rarely NULL.

  should remove if(!authzId) authzId = authcId statement,
  an empty authzId field should be sent instead.

options.c:
  change should be extraneous

sasl.c
  don't remove param error detection

  s/"ldapserver"/"ldap"/  ("ldap" is the registered service name).

  don't use gethostbyname().  Instead use addresses of established
  connection. [This may require establishment of connection, we need
  to add Wes's ldap_delayed_open() code from 1.2, it's more straight
  forward than devel delayed open code].


server:
  The sasl_bind() call should to be moved to the frontend...
  [I've been meaning on doing this, just haven't had time]


I also think we need to further discuss appropriate separation
of authentication identities, authorization identities, and
subject DN (for ACLs).