[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Support for extensible certificate mapping
First, I think it still useful to have plugable
dnX509peerNormalize functions, searching is not
always needed.
Second, I'd tweak things somehow so the plugin
could return an LDAP URL that would get
evaluated as part of the SASL identity mapping
processing.
Lastly, I'd make sure the functionality in
two only applied to EXTERNAL authentication
(otherwise someone might get very surprised).
YMMV, Kurt
At 06:10 PM 9/22/2004, Luke Howard wrote:
>>=> bdb_search
>>bdb_dn2entry("dc=dsg,dc=padl,dc=com")
>>bdb(dc=dsg,dc=padl,dc=com): Locker does not exist
>>bdb_cache_entry_db_lock: entry 1, rw 0, rc 22
>
>Turns out (as pointed out by Howard) searches can't be made from the
>connection listener as the thread context is not setup. So the best
>we can do in the normalization function is rewrite the DN into
>something which can be massaged by a SASL regexp.
>
>Now the problem is how to treat a DN like:
>
>cn=/C\=AU/O\=PADL Software Pty Ltd/CN\=Luke Howard/emailAddress\=lukeh@dsg.padl.com,cn=/C\=AU/O\=PADL Software Pty Ltd,cn=PKINIT,cn=auth
>
>so that the unescaped subject and issuer can be passed into an
>LDAP search filter within a sasl-regexp.
>
>(NB: I'm building the RDNs manually and then calling ldap_dn2bv()
>with LDAP_DN_FORMAT_LDAPV2.)
>
>Ideas?
>
>-- Luke
>
>--