[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with back-ldap and slapo-rwn

Torsten Schlabach (Tascel eG) wrote:

  >  It works this way:


Ok. But in the very case, it's actually not the client who would want to
read the authzTo attribute, but Server B. Server B tries to decide if a
specific user who authenticated is allowed to assume the authorization
of a different user. For that reason, Server B tries to read the authzTo
attribute of the user object. That user object lives on Server A and
does not have an authzTo attribute but only a saslAuthzTo attribute, due
to the fact that the name of that internal attribute changed between 2.2
and 2.3.

Why not just patch the 2.2 server to include authzTo as an alias of the saslAuthzTo attribute?

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/