Re: Bind using credentials from another directory server

[Howard Chu <hyc@symas.com>]

François Beretti wrote:
> how does the authorization system work when using such an overlay ? can 
> one write acl giving access to a user dn not in the directory ?

Yes of course. Any valid DN (i.e., a DN that conforms to the schema) can be 
specified in an ACL, regardless of whether that DN corresponds to an entry 
residing in the current server. Otherwise distributed authentication and 
authorization would be impossible.

Note that SASL is already an example of this fact - SASL IDs don't have to 
exist in the directory, but if SASL says they are authenticated then we allow 
their use. Once an identity has been authenticated, by whatever means, it is 
valid.

> 2007/2/2, Howard Chu <hyc@symas.com <mailto:hyc@symas.com>>:
>
>     In general, unless you actually need to perform all of the functions
>     of a
>     backend, you can usually get by with something much smaller - like
>     an overlay
>     that only intercepts Bind operations, or a password hash module in
>     this case. 

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  Chief Architect, OpenLDAP     http://www.openldap.org/project/