[Date Prev][Date Next]
Making the original authcid available to plugins
- To: openldap-devel@OpenLDAP.org
- Subject: Making the original authcid available to plugins
- From: Luke Howard <lukeh@PADL.COM>
- Date: Mon, 15 Sep 2003 23:27:49 +1000
- Organization: PADL Software Pty Ltd
- Versions: dmail (bsd44) 2.4c/makemail 2.9d
A plugin we've developed needs access to the original authentication
identity, because certain operations are handled differently if they
come from a trusted entity acting on behalf of a user (for example,
a replica proxying a password change) rather than the user itself.
At present we're using the rather ugly hack of retrieving the SASL
context (SLAPI_X_CONN_SASL_CONTEXT), retrieving SASL_AUTHUSER from
that, and then applying analogous rules to the SASL regex transforms
to turn it into a DN.
It would be more efficient (avoiding an extra search, and alignment
of code with SASL authorization policies) if the original authcid,
after mapping to a DN, was not disposed of, and thus could be
exposed through SLAPI.