[Date Prev][Date Next]
Re: SASL authentication for OpenLDAP (ITS#477)
I think a large part of the problem is terminology:
Spec/System Authentication Authorization
LDAP AuthMeth authenticationId authorizationId (authzid)
DIGEST-MD5 username authzId
SASL (RFC 2222) authenticationId authorizationId (userid)
Cyrus SASL authname user
OpenLDAP authcId authzId
I've modified ldap_negotiated_sasl_bind_s() to clarify this.
Another confusion is slapd's connection's c_cdn/c_dn. In
the past they were:
c_cdn is the DN provided by the client as part of the bind.
c_dn is the DN derived from the clients authorization.
ACL subject DN
Both c_cdn and c_dn should be NULL during multiple step
bind process. Upon successful completion, a DN should be
derived from the authorization id (which may be derived
from the authentication id).
SASL processing on the server side should be relatively
straight forward if only using Cyrus (for both authentication
and authorization). Basically, we take the set callbacks
for the authentication id and, if provided, the authorization
id. We then set through the bind process and, if success,
fetch SASL_USERNAME which is the authorization user id. For now,
both c_cdn and c_dn should be set to "authzid=" + user id.
Does this sound reasonable so far? If so, we can talk about
storing authentication and/or authorization info in the directory.
But first, are we straight on external SASL services?