[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin

To: "Howard Chu" <hyc@highlandsun.com>
Subject: RE: SASL LDAP plugin
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 13 Jun 2002 14:49:10 -0700
Cc: <openldap-devel@OpenLDAP.org>
In-reply-to: <NMEFLNHODBAOPDKNNJALMEMBDAAA.hyc@highlandsun.com>
References: <5.1.0.14.0.20020613083001.03c206d0@127.0.0.1>

At 01:54 PM 2002-06-13, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> At 08:07 AM 2002-06-13, Howard Chu wrote:
>> >lookup - calls ldap_initialize, sets the LDAP session to
>> LDAP_VERSION3, does
>> >an interactive SASL bind with ldap_id as the authcid, and the
>> SASL client's
>> >username as the authzid. Then does a WhoAmI, then does an
>> ldapsearch on the
>> >returned name (which must be a DN) to retrieve the requested SASL
>> >attributes,
>> >and then does ldap_unbind.
>>
>> I note that this actually requires the application server to have
>> proxy authorization rights to the authcid, instead of just
>> read rights to authcid's userPassword.
>>
>> Another approach might be to add a fetchUserPassword extended
>> operation which returned the userPassword for an authcid.  Then
>> the application server could maintain a session long term with
>> the LDAP server, establishing authentication/authorization/security
>> layers as desired, then issuing fetchUserPassword on an as
>> needed basis.  Access control wise, the application server would
>> just need read to the authcid's userPassword.
>
>That sounds interesting. Except, the SASL auxprop API is supposed to allow
>lookup
>of arbitrary attributes,

okay, then maybe a "who be this?" operation (like whoami but
asks the question "what DN is associated with this (provided)
identity?".

>, so this isn't quite enough. How about a new control
>mapNameToDN that can accompany any operation, and causes the server to
>perform the SASL name mapping steps on the request's dn/basedn before
>handling the request?

Basically, you'd have a control which would contain an 
authentication or authorization identity (in authzid form).
The control should be marked critical and the base/target
DN should be empty.  Semantically, the DN associated with
the provided authzid is used as the base/target DN of the
operation.

>Then it's just a matter of using the ldap Search
>operation to retrieve any info, and ldapmodify/whatever to update passwords
>in a single step. (I guess this control would be redundant on a SASL Bind
>request, but it should be harmless...)

It should be inappropriate to attach this control to the
bind operation.

Kurt





>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: SASL LDAP plugin
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Re: SASL LDAP plugin
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- RE: SASL LDAP plugin
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: SASL LDAP plugin
Next by Date: RE: SASL LDAP plugin
Index(es):
- Chronological
- Thread