[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: RE: SASL LDAP plugin
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 13 Jun 2002 15:35:13 -0700
Cc: <openldap-devel@OpenLDAP.org>
Importance: Normal
In-reply-to: <5.1.0.14.0.20020613143754.0249fab0@127.0.0.1>

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> At 01:54 PM 2002-06-13, Howard Chu wrote:

> okay, then maybe a "who be this?" operation (like whoami but
> asks the question "what DN is associated with this (provided)
> identity?".
> 
> >, so this isn't quite enough. How about a new control
> >mapNameToDN that can accompany any operation, and causes the server to
> >perform the SASL name mapping steps on the request's dn/basedn before
> >handling the request?
> 
> Basically, you'd have a control which would contain an 
> authentication or authorization identity (in authzid form).
> The control should be marked critical and the base/target
> DN should be empty.  Semantically, the DN associated with
> the provided authzid is used as the base/target DN of the
> operation.

That sounds good to me. One more question in my mind; this feels like
a control that the frontend should handle, but if we're operating thru a
back-ldap proxy then I'd want to leave it for the backend. 

I presume since you say "in authzid form" that the name must have a "u:"
or "dn:" prefix?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: SASL LDAP plugin
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: SASL LDAP plugin
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- RE: SASL LDAP plugin
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: SASL LDAP plugin
Next by Date: RE: SASL LDAP plugin
Index(es):
- Chronological
- Thread