[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authorization on UIDs without bind

At 09:42 AM 3/5/2006, Geert Jansen wrote:
>a while back I posted a question to this list whether it was possible to
>do authorization based on the operating system UID/GID for IPC
>connections. The answer was that this is possible only with a


>The attached patch implements UID based authorization for anonymous
>connections. It adds an keyword "uid=xxx" to the access control syntax,
>much like the "ssf=xxx" keyword that is already there (in fact the
>implementation is largely copied from that). This feature is useful for
>granting local processes access to protected attributes without the
>requirement of adding clear-text passwords to configuration files.

Or you could just use SASL/EXTERNAL bind (assuming your client
supports it, of course.  If not, well, I'd work with its developer
to add it.)

In response to Michael's comment, I note that use of authz-regexp
is optional.  That is, mapping of SASL authzdn to another DN
is not necessary.  One can use the SASL authzdn directly.

Note as well that patches included in list submissions are
considered provided for discussion purposes only.  To have
a patch considered for inclusion in OpenLDAP Software, one
must submit it via the OpenLDAP Issue Tracking System, and
otherwise adhere to the contributing guidelines.