[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: userIdentity in LDAP Password Modify

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga

> Note that this field may or may not be a DN.  It may be just
> a simple user name, e.g. "bob", or it may even be an LDAP
> authzid (e.g., u:bob or dn:cn=bob,dc=example,dc=com).

> Hence, we should do, much like we do for SASL authzids, apply
> appropriate mappings to produce the internal DN representing
> the user.
> Additionally, the user's password may or may not be held in the
> directory.  It could be held in sasldb or other external store.
> Anyways, this message is intended just to enumerate some of the
> things which should find their way onto the TODO list.

Thinking out loud about what steps are needed...

If a DN is provided, do we need to apply SASL-regexp mapping to it? I would
think not.

If we get a "dn:" prefix we can just strip it and use the DN directly. If
dnNormalize fails, we fail the operation.

If we get a "u:" prefix we can let SASL take care of it.

If we get no prefix, and dnNormalize succeeds, we can use the DN directly.
Otherwise we treat it as a simple name, and let SASL take care of it.

When we call sasl_setpass, the password may be in sasldb, some other external
store, or it may be in the directory. It doesn't matter. SASL will re-enter
slapd (via slap_auxprop) if it needs to. So we don't need to do any special
SASL steps up front.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support