[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: external authentication in openldap
>If one wants to use non-directory password storage, Cyrus
>SASL managed storage should be used. This can be SASLdb,
>pwcheckd (or its SASL2 replacement), or whatever. For
>SASL password mechanisms, nothing is needed. For LDAP
>simple, we need a mechanism which tells slapd to use
>SASL instead of userPassword. Currently that's {SASL}.
>Another mechanism could be provided. Basically, I suggest
>a regex-based mechanism. If a regex matched the bind name,
>a second regex would be used to map this DN to a SASL
>authentication identity (w/ realm).
I haven't researched this thoroughly, but could we not use
dn:<user's dn> as the authentication identity, and use the
existing identity regex transformation code? Either way,
I will take a look at implementing this.
>Another approach would be to have an attribute that, if
>present in the entry, would contain the identity (which
>is basically what you suggest). I would suggest a
>saslName attribute type and a saslAuthUser auxiliary
>object class. (Yes, I would make it SASL specific.)
Ack. I need to find a solution that will work with
incumbent authentication technology in OS X with minimum
impact to the OpenLDAP code, which is why I'm hoping it
can all be implemented in a SASL plugin. However, your
solution sounds like the right long-term solution.
-- Luke
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com