[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does chain overlay support sasl binding?

Pierangelo Masarati wrote:
> Simon Gao wrote:
>> I am making some progress on this. Following example test014, I am able
>> to get sasl bind working.
>> I still have two questions.
>> 1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode
>> on each individual line, then sasl binding does not work. They all must
>> be on the same one line. Any reason why multiple line works for simple
>> bind, but not for sasl binding? The inconsistency will cause more
>> efforts in troubleshooting.
> This should not be true.  I suspect you're doing something weird with
> leading blanks in continuation lines, since the configuration parser
> sees each statement as a single line anyway, after gluing multiple lines
> by replacing continuation indentation with a single blank.  If you
> intend to submit an example of your configuration, please attach it to
> the message (if small) or make it available for public download.
> Cut'n'paste could mess up critical portions of the message, like lining
> and whitespace.

This was indeed extra space problem. After removing extra space, it
works fine.

>> 2)Is it possible to add authzTo/authzFrom at
>> "ou=people,dc=example,dc=com" level and all the child entry be proxy
>> authenticated?
> I'm not aware of any feature like that.  In any case, it should be of
> very limited help in chaining, since the rationale behind chaining is
> that users that cannot autonomously authenticate on a remote DSA get
> authorized by some special identity that has authorization privileges.
> SO all you need is authzTo in the special identity's entry, while in
> general the identity that's being authorized does not necessarily reside
> in the DSA.
authzTo worked fine with an proxy entry.