[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does chain overlay support sasl binding?

To: Simon Gao <gao@schrodinger.com>
Subject: Re: Does chain overlay support sasl binding?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 09 Jun 2007 10:18:00 +0200
Cc: openldap-software@openldap.org
In-reply-to: <466A54C9.2050105@schrodinger.com>
References: <46699994.5030305@schrodinger.com> <4669AE10.5090907@sys-net.it> <4669B2BB.5010109@schrodinger.com> <4669B3F9.6040509@sys-net.it> <4669E62C.9010600@schrodinger.com> <466A54C9.2050105@schrodinger.com>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Simon Gao wrote:

> I am making some progress on this. Following example test014, I am able
> to get sasl bind working.
> 
> I still have two questions.
> 
> 1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode
> on each individual line, then sasl binding does not work. They all must
> be on the same one line. Any reason why multiple line works for simple
> bind, but not for sasl binding? The inconsistency will cause more
> efforts in troubleshooting.

This should not be true.  I suspect you're doing something weird with
leading blanks in continuation lines, since the configuration parser
sees each statement as a single line anyway, after gluing multiple lines
by replacing continuation indentation with a single blank.  If you
intend to submit an example of your configuration, please attach it to
the message (if small) or make it available for public download.
Cut'n'paste could mess up critical portions of the message, like lining
and whitespace.

> 2)Is it possible to add authzTo/authzFrom at
> "ou=people,dc=example,dc=com" level and all the child entry be proxy
> authenticated?

I'm not aware of any feature like that.  In any case, it should be of
very limited help in chaining, since the rationale behind chaining is
that users that cannot autonomously authenticate on a remote DSA get
authorized by some special identity that has authorization privileges.
SO all you need is authzTo in the special identity's entry, while in
general the identity that's being authorized does not necessarily reside
in the DSA.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: Does chain overlay support sasl binding?
  - From: Simon Gao <gao@schrodinger.com>

References:
- Does chain overlay support sasl binding?
  - From: Simon Gao <gao@schrodinger.com>
- Re: Does chain overlay support sasl binding?
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Does chain overlay support sasl binding?
  - From: Simon Gao <gao@schrodinger.com>
- Re: Does chain overlay support sasl binding?
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Does chain overlay support sasl binding?
  - From: Simon Gao <gao@schrodinger.com>
- Re: Does chain overlay support sasl binding?
  - From: Simon Gao <gao@schrodinger.com>

Prev by Date: Re: Does chain overlay support sasl binding?
Next by Date: slapo-unique. several unique_base with different unique_attributes sets
Index(es):
- Chronological
- Thread