[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rwm and sasl authz

To: openldap-software@openldap.org
Subject: Re: rwm and sasl authz
From: Konstantinos Koukopoulos <kouk+Lists.openldap@noc.uoa.gr>
Date: Fri, 25 Jul 2008 12:51:57 +0300
Cc: Pierangelo Masarati <ando@sys-net.it>
Content-disposition: inline
In-reply-to: <3109208.19071216915658420.JavaMail.root@mail2.sys-net.it>
References: <3109208.19071216915658420.JavaMail.root@mail2.sys-net.it>
User-agent: KMail/1.9.7

On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
> Yes, it is a known issue.  When slapo-rwm was first designed, however, it
> could only be stacked on top of a database, so it would have been bypassed
> by SASL bind anyway.  

Would that still be the case if internal auxprop authentication was used? In 
that case I think that a SASL bind would result in an internal search op 
being performed. The problem then on the slapo-rwm level is how to 
distinguish between the search performed in order to complete the SASL bind 
and other searches.

> However, it is not clear (to me) why one should 
> rewrite a DN resulting from a authz-regexp instead of directly modifying
> the authz-regexp in the first place.

The downside of using authz-regexp is that it seems you cannot assign a 
variable with the '${&&name(value)}' syntax and make it available to the 
other rewrite contexts using '${**name}'. If authz-regexp was somehow 
integrated with slapo-rwm then there wouldn't be a problem.

Follow-Ups:
- Re: rwm and sasl authz
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Re: rwm and sasl authz
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: DN index delete failed
Next by Date: Re: rwm and sasl authz
Index(es):
- Chronological
- Thread