[Date Prev][Date Next]
Re: authz-regexp without SASL
Kurt D. Zeilenga writes:
>At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>> authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>> I note it was called sasl-regexp before.
> Yes, because it was originally just for mapping SASL authorization
> identities. Now it can map some additional authorization
> identities, such when using the proxied authorization control.
>> Will it be changed to work for Simple Bind?
> Well, it could be changed to map the authenticated
> identity, which normally becomes the authorization
> identity, to some other authorization identity.
> One likely could do that with an overlay.
OK. But then the doc should be changed to say when authz-regexp
is used. The current doc gives the impression that it always is.
>> authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>> does not let anyone log in with my password and access:-)
> Wouldn't this mean that any authenticated user would be act
> as "uid=hbf,cn=people,dc=uio,dc=no" authorization identity?
Ah. I got confused by "Used by the authentication framework" in
the doc. Maybe that should be "by the authorization framework"?
And "...convert *authenticated* user names ...".
Don't anthropomorphize computers. They hate that.