[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-sock and Proxy Authz or SASL Authz-Name

To: Michael Ströder <michael@stroeder.com>
Subject: Re: back-sock and Proxy Authz or SASL Authz-Name
From: Howard Chu <hyc@symas.com>
Date: Sat, 05 Dec 2009 20:15:22 -0800
Cc: openldap-software@openldap.org
In-reply-to: <4B1933BA.2060904@stroeder.com>
References: <4B1933BA.2060904@stroeder.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.3a1pre) Gecko/20091121 SeaMonkey/2.0a1pre Firefox/3.0.3

Michael Ströder wrote:

HI!

We a currently testing a custom OpenLDAP setup where specific modify requests
are handled via back-sock (redirected via slapo-rwm) by a handler implemented
in Python. These modify requests are checked and then passed to the real
database backend (back-hdb) on behalf of the user bound to slapd. This works
by looking at the line (binddn: ) passed to the handler by back-sock.

But now there's requirement for proxy authorization. The web application binds
via SASL bind DIGEST-MD5 and explicitly sets the authzid in the SASL bind
request which is mapped via authz-regexp to an authz-DN. This setup seems to
work (tested with commandline-tool ldapwhoami -X authzid) but the authz-DN is
not passed to the back-sock handler. binddn: still contains the bind-DN of the
web application.

Is this feasible at all? If not which parts of back-sock would have to be
patched to make that work?

Look at sock_print_conn() in result.c. You'll have to add appropriate flagsand keywords in the config and header files as well.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- back-sock and Proxy Authz or SASL Authz-Name
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: SASL OTP and syncrepl
Next by Date: RE: delta sync repl out of sync
Index(es):
- Chronological
- Thread