[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: userIdentity in LDAP Password Modify
> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
> Note that this field may or may not be a DN. It may be just
> a simple user name, e.g. "bob", or it may even be an LDAP
> authzid (e.g., u:bob or dn:cn=bob,dc=example,dc=com).
> Hence, we should do, much like we do for SASL authzids, apply
> appropriate mappings to produce the internal DN representing
> the user.
>
> Additionally, the user's password may or may not be held in the
> directory. It could be held in sasldb or other external store.
>
> Anyways, this message is intended just to enumerate some of the
> things which should find their way onto the TODO list.
Thinking out loud about what steps are needed...
If a DN is provided, do we need to apply SASL-regexp mapping to it? I would
think not.
If we get a "dn:" prefix we can just strip it and use the DN directly. If
dnNormalize fails, we fail the operation.
If we get a "u:" prefix we can let SASL take care of it.
If we get no prefix, and dnNormalize succeeds, we can use the DN directly.
Otherwise we treat it as a simple name, and let SASL take care of it.
When we call sasl_setpass, the password may be in sasldb, some other external
store, or it may be in the directory. It doesn't matter. SASL will re-enter
slapd (via slap_auxprop) if it needs to. So we don't need to do any special
SASL steps up front.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support