[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rwm and sasl authz

On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
> Yes, it is a known issue.  When slapo-rwm was first designed, however, it
> could only be stacked on top of a database, so it would have been bypassed
> by SASL bind anyway.  

Would that still be the case if internal auxprop authentication was used? In 
that case I think that a SASL bind would result in an internal search op 
being performed. The problem then on the slapo-rwm level is how to 
distinguish between the search performed in order to complete the SASL bind 
and other searches.

> However, it is not clear (to me) why one should 
> rewrite a DN resulting from a authz-regexp instead of directly modifying
> the authz-regexp in the first place.

The downside of using authz-regexp is that it seems you cannot assign a 
variable with the '${&&name(value)}' syntax and make it available to the 
other rewrite contexts using '${**name}'. If authz-regexp was somehow 
integrated with slapo-rwm then there wouldn't be a problem.