[Date Prev][Date Next]
Re: commit: ldap/doc/man/man5 slapd-ldap.5
> Some suggestions...
> Start TLS?
> SASL Bind (for both bind and proxy authcid)
> with authzid assertion (at SASL Bind time) for both
> idassert-mode <dn> should likely be idassert-mode <authzid>.
> That is, either dn:uid=foo,dc=example,dc=com or u:foo should be
> I think modes are confusing. I suggest:
> none - no proxy authz control
> user (or self) - proxy authz control with client's authz
> anonymous - anonymous proxy authz control
> (same as <authz> with "")
> <authz> - as specified
> (I don't see what your fifth choice is for.)
Sure. My concern is that the "proxyauthzdn" stuff was already in there
for multiple glued instances of back-ldap to cooperate by propagating the
client's identity if required, and I didn't want to break that too much.
I'll probably converge to your suggestion as soon as I can implement
exactly that functionality within any of the idassert-modes (it's
essentially a matter of deciding in what case the client's id should be
asserted by the proxy, or let thru with a direct bind).
So my "none" should become "legacy" until I work this out,
and my "proxyid" should become "none"...
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497