[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-{ldap,meta} && authentication

> Quoting Howard Chu <hyc@symas.com>:
>> This is not completely true. back-ldap does support sasl-regexp
>> mapping, or it did the last time I worked with it.
> Is there some special trick to get this to work, because the sasl-regexp
> I was using while having a local db don't work...
> And I don't want to use HEAD quite yet so I can't try the 'idassert-*'
> stuff.

I would really appreciate if you (or anybody else) could give it
a try and help check/improve the support for other SASL mechs;
it is very unlikely that I'll have a working GSSAPI set up in a
reasonable time with my current resources, and this could limit
the availability of this feature in the next release.

Currently, back-ldap is technically able (besides the need for
some cleanup) to honor SASL binds when the mech uses credentials
stored in the proxied DSA via the auxprop technology.  The proxy
needs to bind to the remote server with a trusted identity that
can read the credentials, and this administrative bind can be
done via SASL as well.

There's need to work on ensuring the same works for mechs other
than CRAM/DIGEST-MD5 (and, of course, improve any other aspect
of this piece of code).


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497