[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

Kurt D. Zeilenga wrote:
At 07:22 AM 12/13/2003, Pierangelo Masarati wrote:

For the mech, I'd rather add another operator, to do


I would rather leave the <style> modifier to further
additions ...

Well, the problem is that userid and realm strings have few
character restrictions.  Even u.mech.realm:userid is bad
because the realm name can contain colons.

whatever separator we pick, in case only one extension
is added, e.g.: u<sep>foo: there would be no means
to tell whether foo is the realm or the mechanism.

For now, I suggest we just don't generate cn=realm RDNs for these authzids. And, for mechanisms, I'm fine with only generating cn=authzid RDN for authzid appearing in the policy information.

This is required to use the proxyAuthz control with sasl-regexp that makes use of the realm, as in ITS#2871. The only workaround I could find without any need to recode was "u:<user>@<realm>"

We can leave u.mech and u.mech.realm (or alternatives) to a later date. I don't think they are generally needed.

Sure. It's definitely not a priority for me.


Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |