[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL LDAP plugin

> -----Original Message-----
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]

> >> >, so this isn't quite enough. How about a new control
> >> >mapNameToDN that can accompany any operation, and causes the server to
> >> >perform the SASL name mapping steps on the request's dn/basedn before
> >> >handling the request?

> >> Basically, you'd have a control which would contain an
> >> authentication or authorization identity (in authzid form).
> >> The control should be marked critical and the base/target
> >> DN should be empty.  Semantically, the DN associated with
> >> the provided authzid is used as the base/target DN of the
> >> operation.

> >That sounds good to me. One more question in my mind; this feels like
> >a control that the frontend should handle, but if we're operating thru a
> >back-ldap proxy then I'd want to leave it for the backend.

> The control must be managed by the frontend (with calls into
> backend as needed)... there's no DN.

Right. Getting back to allowing this control to be meaningfully proxied
by back-ldap: we need to be able to query the remote server's mapping rules.
Perhaps they should be added to back-monitor. The back-ldap proxy could be
configured to fetch the rules at startup and feed them into the local
runtime configuration. Then the control will still be usable on the proxy

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support