[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp without SASL

Kurt D. Zeilenga writes:
>At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>> authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>> I note it was called sasl-regexp before.
> Yes, because it was originally just for mapping SASL authorization
> identities.  Now it can map some additional authorization
> identities, such when using the proxied authorization control.
>> Will it be changed to work for Simple Bind?
> Well, it could be changed to map the authenticated
> identity, which normally becomes the authorization
> identity, to some other authorization identity.
> One likely could do that with an overlay.

OK.  But then the doc should be changed to say when authz-regexp
is used.  The current doc gives the impression that it always is.

>>   authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>> does not let anyone log in with my password and access:-)
> Wouldn't this mean that any authenticated user would be act
> as "uid=hbf,cn=people,dc=uio,dc=no" authorization identity?

Ah.  I got confused by "Used by the authentication framework" in
the doc.  Maybe that should be "by the authorization framework"?
And "...convert *authenticated* user names ...".

Don't anthropomorphize computers. They hate that.