[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Section for admin guide on DIGEST-MD5



On Mon, Jul 15, 2002 at 01:09:41PM -0700, Howard Chu wrote:
> 
> > The example from the existing admin guide uses a regex:
> >
> > 	uid=(.*),.*cn=auth
> >
> > which risks assigning more than just the uid to the search. Debugging
> > such an error is hard, as the necessary information does not appear in
> > the logs unless trace logging is on.
> 
> This example could be changed to
> 	uid=(.*),cn=.*,cn=auth

I would prefer:
	uid=([^,]),cn=.*,cn=auth

but that currently fails to parse.

> but I'm not sure I like such a lenient example being there in the first
> place.
> The text warns about using such a loose rule, and I would hope no one
> actually
> uses them.
> 
> The text you offer rolls sasl-regexp description into the DIGEST-MD5 section,
> but sasl-regexp is not specific to that mechanism. This layout is misleading.

True - I was trying to contain my additions to one section. I have
abandoned that, moved the sasl-regexp eamples down where they belong,
and submitted a diff through the ITS (ITS#1958).

> "saslRegexp" is a valid keyword but I prefer that "sasl-regexp" be used in
> the guide
> to keep it consistent with the other sasl config keywords.

OK - I had based that on the online web page version. Now consistent
with the rest of the CVS version.

> Any example that employs non-default realms really should provide some
> motivation
> for using a non-default realm. It makes little sense to configure SASL with
> more
> than one realm if all of the users in both realms come out of an identical
> LDAP
> namespace. Certainly that is not how things would behave if you were still
> using
> sasldb. I would prefer an example where the non-default realm is mapped to a
> separate DN subtree, distinct from the default case.

Good point. I have changed the example to show such a case.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------