[Date Prev][Date Next]
RE: userIdentity in LDAP Password Modify
At 03:59 PM 12/1/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
>> Note that this field may or may not be a DN. It may be just
>> a simple user name, e.g. "bob", or it may even be an LDAP
>> authzid (e.g., u:bob or dn:cn=bob,dc=example,dc=com).
>> Hence, we should do, much like we do for SASL authzids, apply
>> appropriate mappings to produce the internal DN representing
>> the user.
>> Additionally, the user's password may or may not be held in the
>> directory. It could be held in sasldb or other external store.
>> Anyways, this message is intended just to enumerate some of the
>> things which should find their way onto the TODO list.
>Thinking out loud about what steps are needed...
>If a DN is provided, do we need to apply SASL-regexp mapping to it? I would
I would think we'd apply the same regexes (and lookups) we do to
DN generated/provided via SASL mechanisms.
>If we get a "dn:" prefix we can just strip it and use the DN directly. If
>dnNormalize fails, we fail the operation.
>If we get a "u:" prefix we can let SASL take care of it.
Or map it to a DN (like we do in our SASL code) and then map it.
>If we get no prefix, and dnNormalize succeeds, we can use the DN directly.
>Otherwise we treat it as a simple name, and let SASL take care of it.
>When we call sasl_setpass, the password may be in sasldb, some other external
>store, or it may be in the directory. It doesn't matter. SASL will re-enter
>slapd (via slap_auxprop) if it needs to. So we don't need to do any special
>SASL steps up front.
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support