[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: proxy authentication

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> This is basically the same as passing through the SASL
> bind request/responses EXCEPT the authenticating server
> knows it doing for the middle box and hence can prepare
> a response which can be relayed to the end client.
> (This could be done with bind+controls instead of an exop).

Yes, this will work. We would have to do something clever about
selecting the mechanisms, but it wouldn't be much different from
the way the current slap_auxprop plugin is initialized. We could
get DIGEST-MD5 working easily. Stronger mechs would be more problematic,
Kerberos IV can't be proxied this way because the tickets include
client and server IP addresses. GSSAPI/K5 may or may not work...
I don't think there's any way to make EXTERNAL work without giving
the private key to the proxy server.
> At 04:20 PM 2002-06-16, Kurt D. Zeilenga wrote:
> >another approach would be to have an extended operation
> >which would an application server could use to proxy the
> >SASL exchanges.  That is, an exop whose request data
> >was the SASL request data provided to application server
> >(from the application client) and whose response data
> >was the SASL response data to be provided to the
> >application client.  The exop could also carry, on
> >the last exchange response, the authentication and
> >authorization identity established.
> >
> >Kurt