[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion



On Fri, 2006-01-20 at 16:16 -0600, Eric Irrgang wrote:

> I already have my target directory set up that way but I don't know how to
> do identity assertion from a regular ldap client without using SASL.  Is
> there a way?  For instance, the following fails with "ldapsearch: not
> compiled with SASL support"
> 
> ldapsearch -x -W -D cn=authorizeduser,dc=test -X cn=config,dc=test

No.  The message seems to indicate that your client doesn't have SASL
compiled in, but in any case the -x prevents it from doing a SASL bind,
so you should use something different.  But, as I said before,
authorization and SASL are orthogonal.  Without mucking with SASL, you
can use:

ldapsearch -x -W -D cn=authorizeduser,dc=test \
        -e '!authzid=dn:cn=config,dc=test'

this causes the tool to use the proxyAuthz control on that operation
(the '!' is because the control MUST be critical).

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------