[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 19 Jun 2004 17:39:46 +0200
Cc: OpenLDAP Commit <openldap-devel@OpenLDAP.org>
References: <200406190805.i5J8576F003857@cantor.openldap.org> <40D43C50.1000700@sys-net.it> <6.0.1.1.0.20040619082847.02cbc0b0@127.0.0.1>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Kurt D. Zeilenga wrote:

At 06:14 AM 6/19/2004, Pierangelo Masarati wrote:
ando@OpenLDAP.org wrote:
Added Files:
      test028-idassert  NONE -> 1.1
I just found out that native SASL authz doesn't work with CRAM-MD5, i.e. the bound identity remains that of the incoming authcDN; with DIGEST-MD5 the bound identity is turned into that of the authzDN specified via SASL. I'm not sso familiar with SASL details, but I thought the authz did not depend on the specific mech.
Not all SASL mechanisms support proxy authorization...

I guessed something like that, and I was going to look for a means to detect what mechs support it, because the idassert code currently assumes that when configured to use SASL method authz will be done natively by SASL.

Ando.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
Next by Date: Re: limits on internal searches
Index(es):
- Chronological
- Thread