[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: userIdentity in LDAP Password Modify

At 03:59 PM 12/1/2003, Howard Chu wrote:
>> -----Original Message-----
>> From: owner-openldap-devel@OpenLDAP.org
>> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga
>> Note that this field may or may not be a DN.  It may be just
>> a simple user name, e.g. "bob", or it may even be an LDAP
>> authzid (e.g., u:bob or dn:cn=bob,dc=example,dc=com).
>> Hence, we should do, much like we do for SASL authzids, apply
>> appropriate mappings to produce the internal DN representing
>> the user.
>> Additionally, the user's password may or may not be held in the
>> directory.  It could be held in sasldb or other external store.
>> Anyways, this message is intended just to enumerate some of the
>> things which should find their way onto the TODO list.
>Thinking out loud about what steps are needed...
>If a DN is provided, do we need to apply SASL-regexp mapping to it? I would
>think not.

I would think we'd apply the same regexes (and lookups) we do to
DN generated/provided via SASL mechanisms.

>If we get a "dn:" prefix we can just strip it and use the DN directly. If
>dnNormalize fails, we fail the operation.
>If we get a "u:" prefix we can let SASL take care of it.

Or map it to a DN (like we do in our SASL code) and then map it.

>If we get no prefix, and dnNormalize succeeds, we can use the DN directly.
>Otherwise we treat it as a simple name, and let SASL take care of it.
>When we call sasl_setpass, the password may be in sasldb, some other external
>store, or it may be in the directory. It doesn't matter. SASL will re-enter
>slapd (via slap_auxprop) if it needs to. So we don't need to do any special
>SASL steps up front.
>  -- Howard Chu
>  Chief Architect, Symas Corp.       Director, Highland Sun
>  http://www.symas.com               http://highlandsun.com/hyc
>  Symas: Premier OpenSource Development and Support