RE: SASL LDAP plugin

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:49 PM 2002-06-16, Howard Chu wrote:
>> -----Original Message-----
>> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
>
>> >> >, so this isn't quite enough. How about a new control
>> >> >mapNameToDN that can accompany any operation, and causes the server to
>> >> >perform the SASL name mapping steps on the request's dn/basedn before
>> >> >handling the request?
>
>> >> Basically, you'd have a control which would contain an
>> >> authentication or authorization identity (in authzid form).
>> >> The control should be marked critical and the base/target
>> >> DN should be empty.  Semantically, the DN associated with
>> >> the provided authzid is used as the base/target DN of the
>> >> operation.
>
>> >That sounds good to me. One more question in my mind; this feels like
>> >a control that the frontend should handle, but if we're operating thru a
>> >back-ldap proxy then I'd want to leave it for the backend.
>
>> The control must be managed by the frontend (with calls into
>> backend as needed)... there's no DN.
>
>Right. Getting back to allowing this control to be meaningfully proxied
>by back-ldap: we need to be able to query the remote server's mapping rules.
>Perhaps they should be added to back-monitor. The back-ldap proxy could be
>configured to fetch the rules at startup and feed them into the local
>runtime configuration. Then the control will still be usable on the proxy
>server.

I rather have the proxy server use a "who is this?" extended operation
in this case.