[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Support for extensible certificate mapping

First, I think it still useful to have plugable
dnX509peerNormalize functions, searching is not
always needed.

Second, I'd tweak things somehow so the plugin
could return an LDAP URL that would get
evaluated as part of the SASL identity mapping

Lastly, I'd make sure the functionality in
two only applied to EXTERNAL authentication
(otherwise someone might get very surprised).

YMMV, Kurt

At 06:10 PM 9/22/2004, Luke Howard wrote:

>>=> bdb_search
>>bdb(dc=dsg,dc=padl,dc=com): Locker does not exist
>>bdb_cache_entry_db_lock: entry 1, rw 0, rc 22
>Turns out (as pointed out by Howard) searches can't be made from the
>connection listener as the thread context is not setup. So the best
>we can do in the normalization function is rewrite the DN into
>something which can be massaged by a SASL regexp.
>Now the problem is how to treat a DN like:
>cn=/C\=AU/O\=PADL Software Pty Ltd/CN\=Luke Howard/emailAddress\=lukeh@dsg.padl.com,cn=/C\=AU/O\=PADL Software Pty Ltd,cn=PKINIT,cn=auth
>so that the unescaped subject and issuer can be passed into an
>LDAP search filter within a sasl-regexp. 
>(NB: I'm building the RDNs manually and then calling ldap_dn2bv()
>-- Luke