[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authorization on UIDs without bind

Kurt D. Zeilenga wrote:
> At 09:42 AM 3/5/2006, Geert Jansen wrote:
>> The attached patch implements UID based authorization for anonymous
>> connections. It adds an keyword "uid=xxx" to the access control syntax,
>> much like the "ssf=xxx" keyword that is already there (in fact the
>> implementation is largely copied from that). This feature is useful for
>> granting local processes access to protected attributes without the
>> requirement of adding clear-text passwords to configuration files.
> Or you could just use SASL/EXTERNAL bind (assuming your client
> supports it, of course.  If not, well, I'd work with its developer
> to add it.)
I will try that as well. However, current support for this is very poor
amongst LDAP clients. My email server (postfix), IMAP server (dovecot)
and web server (apache) all do not support SASL binds.

> In response to Michael's comment, I note that use of authz-regexp
> is optional.  That is, mapping of SASL authzdn to another DN
> is not necessary.  One can use the SASL authzdn directly.
In addition, you don't have an authzdn when you don't do a bind so I
can't use that.
> Note as well that patches included in list submissions are
> considered provided for discussion purposes only.  To have
> a patch considered for inclusion in OpenLDAP Software, one
> must submit it via the OpenLDAP Issue Tracking System, and
> otherwise adhere to the contributing guidelines.
>         http://www.openldap.org/its/
>         http://www.openldap.org/devel/contributing.html
Would be happy to follow the guidelines if this patch could be
considered for inclusion. Do you think this patch is a good feature for
OpenLDAP to have?


Attachment: signature.asc
Description: OpenPGP digital signature