[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: external authentication in openldap

>If one wants to use non-directory password storage, Cyrus
>SASL managed storage should be used.  This can be SASLdb,
>pwcheckd (or its SASL2 replacement), or whatever.  For
>SASL password mechanisms, nothing is needed.  For LDAP
>simple, we need a mechanism which tells slapd to use
>SASL instead of userPassword.  Currently that's {SASL}.
>Another mechanism could be provided.  Basically, I suggest
>a regex-based mechanism.  If a regex matched the bind name,
>a second regex would be used to map this DN to a SASL
>authentication identity (w/ realm).

I haven't researched this thoroughly, but could we not use
dn:<user's dn> as the authentication identity, and use the
existing identity regex transformation code? Either way,
I will take a look at implementing this.

>Another approach would be to have an attribute that, if
>present in the entry, would contain the identity (which
>is basically what you suggest).   I would suggest a
>saslName attribute type and a saslAuthUser auxiliary
>object class.  (Yes, I would make it SASL specific.)

Ack. I need to find a solution that will work with 
incumbent authentication technology in OS X with minimum
impact to the OpenLDAP code, which is why I'm hoping it
can all be implemented in a SASL plugin. However, your
solution sounds like the right long-term solution.

-- Luke

Luke Howard | lukehoward.com
PADL Software | www.padl.com