Re: saslAuthz{To|From}

[Pierangelo Masarati <ando@sys-net.it>]

Pierangelo Masarati wrote:
> now supports IDs in the form
>
> dn[.{exact|subtree|children|regex}]:
>
> where
>
> - exact is trivial
> - subtree means exact or children
> - children means children but not exact
> - regex uses regcomp/regexec to test
>
> An unqualified ID of the form "dn:" is now
> treated as exact.  I suggest using saslauthz.c 1.100
> for the next releases, and move to 1.101 carefully
> because this last change could break some configuration,
> so be warned ...
>
> IDs in the form "u:" are coming ...

I'm playing with "u:" form IDs, but they don't seem
to be of much use; in fact, if a user in this form
is found, it must be trnsformed in "dn:" form via
slap_sasl2dn, which uses sal_parseURI after applying
the sasl-regexp rules.  So whenever one needs to write
saslAuthz{To|From} values, "dn:" froms can be used with
much more expressivity insetad of "u:" forms.

I can leave it in place for completeness (I need to check
if there's any chance of infinite loops, though)
but we should not incourage their use.

And, we need to clarify if we want to allow the
"u:<username>" form, which, to be expanded to sasl form,
needs some info that is not available (mech, realm and so)
or directly in th more expressive sasl form
"u:uid=<username>[,cn=<realm>][,cn=mech],cn=auth"

to summarize:
- "u:<username>" is impossible, we need to know mech and realm
- "u:<sasl name>" is possible; it is run thru sasl-regexp
  to compute the DN and then compared to the asserted DN

Comments are welcome.

Ando.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

+----------------------------------------------------------------------------+
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |
+----------------------------------------------------------------------------+