[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL authentication for OpenLDAP (ITS#477)


I think a large part of the problem is terminology:

Spec/System		Authentication	Authorization
LDAP AuthMeth		authenticationId	authorizationId (authzid)
DIGEST-MD5		username		authzId
SASL (RFC 2222)	authenticationId	authorizationId (userid)
Cyrus SASL		authname		user
OpenLDAP		authcId		authzId

I've modified ldap_negotiated_sasl_bind_s() to clarify this.

Another confusion is slapd's connection's c_cdn/c_dn.  In
the past they were:

c_cdn is the DN provided by the client as part of the bind.
	logging/monitoring purposes
c_dn is the DN derived from the clients authorization.
	ACL subject DN

Both c_cdn and c_dn should be NULL during multiple step
bind process.  Upon successful completion, a DN should be
derived from the authorization id (which may be derived
from the authentication id).

SASL processing on the server side should be relatively
straight forward if only using Cyrus (for both authentication
and authorization).  Basically, we take the set callbacks
for the authentication id and, if provided, the authorization
id.  We then set through the bind process and, if success,
fetch SASL_USERNAME which is the authorization user id.  For now,
both c_cdn and c_dn should be set to "authzid=" + user id.

Does this sound reasonable so far?  If so, we can talk about
storing authentication and/or authorization info in the directory.
But first, are we straight on external SASL services?