[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8560) Proxy Authorization is mentioned as a SASL mech

--On Friday, January 06, 2017 7:17 PM +0000 rick@openfortress.nl wrote:

> Full_Name: Rick van Rein
> Version: 2.4
> OS: N/A
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:980:93a5:1:98ff:3cc8:e968:ded8)
> Hello,
> I found a nit in the OpenLDAP administrator's guide at
> http://www.openldap.org/doc/admin24/guide.html#SASL%20Proxy%20Authorizati
> on
> It mentions Proxy Authorization as a facility of SASL, something I never
> heard of.  It is defined specifically for LDAP in RFC 4370.  So the
> chapter title, and perhaps its ordering underneath SASL, are not perfect.

Hi Rick,

Thanks for the report.  However, the EXTERNAL mechanism is in fact a SASL 
mechanism, just implemented directly in OpenLDAP (vs other SASL mechanisms 
that OpenLDAP supports via Cyrus-SASL).  The location in the admin guide is 
correct.  If you read RFC 4370, Section 1 clearly notes that it is a part 
of SASL:

"The Lightweight Directory Access
   Protocol [LDAPV3] supports the use of the Simple Authentication and
   Security Layer [SASL] for authentication and for supplying an
   authorization identity distinct from the authentication identity,
   where the authorization identity applies to the whole LDAP session."



Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: