[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp without SASL

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: authz-regexp without SASL
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 01 Jul 2005 14:40:25 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <hbf.20050701vb7g@bombur.uio.no>
References: <hbf.20050701vb7g@bombur.uio.no>

At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>I note it was called sasl-regexp before. 

Yes, because it was originally just for mapping SASL
authorization identities.  Now it can map some additional
authorization identities, such when using the proxied
authorization control.

>Will it be changed
>to work for Simple Bind?

Well, it could be changed to map the authenticated
identity, which normally becomes the authorization
identity, to some other authorization identity.
One likely could do that with an overlay.

>Its manpage section says it should
>work in general, though it mostly talks about SASL.
>E.g.
>  authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>does not let anyone log in with my password and access:-)

Wouldn't this mean that any authenticated user would be
act as "uid=hbf,cn=people,dc=uio,dc=no" authorization
identity?

Kurt

>-- 
>Hallvard
>Don't anthropomorphize computers. They hate that.

Follow-Ups:
- Re: authz-regexp without SASL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- authz-regexp without SASL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: authz-regexp without SASL
Next by Date: Re: authz-regexp without SASL
Index(es):
- Chronological
- Thread