Re: rwm and sasl authz

[Pierangelo Masarati <ando@sys-net.it>]

----- "Konstantinos Koukopoulos" <kouk+Lists.openldap@noc.uoa.gr> wrote:

> Hello,
> I was wondering if it is a known issue that when using sasl
> authorization 
> combined with the rewrite module, one doesn't have access to either
> the 
> binddn or the authz dn. The rewrite context bindDN is only called when
> the 
> client supplies a DN in the simple-bind fashion (-D when using
> ldapsearch). 
> 
> But if one uses a sasl mechanism (in order to use proxy auth for
> example) then 
> the binding will happen with the result of the authz-regexp rewrite
> but this 
> is not in a context of slapo-rwm, whose bindDN context sees whatever,
> if any, 
> arbitrary bind DN the request contained (for example through -D).
> 
> Additionally there is no context regarding the authorization DN, which
> is 
> pretty much a necessity if you plan on using authFrom and have
> remapped the 
> dit.

Yes, it is a known issue.  When slapo-rwm was first designed, however, it could only be stacked on top of a database, so it would have been bypassed by SASL bind anyway.  However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly modifying the authz-regexp in the first place.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------