[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: saslAuthz{To|From}
Pierangelo Masarati wrote:
now supports IDs in the form
dn[.{exact|subtree|children|regex}]:
where
- exact is trivial
- subtree means exact or children
- children means children but not exact
- regex uses regcomp/regexec to test
An unqualified ID of the form "dn:" is now
treated as exact. I suggest using saslauthz.c 1.100
for the next releases, and move to 1.101 carefully
because this last change could break some configuration,
so be warned ...
IDs in the form "u:" are coming ...
I'm playing with "u:" form IDs, but they don't seem
to be of much use; in fact, if a user in this form
is found, it must be trnsformed in "dn:" form via
slap_sasl2dn, which uses sal_parseURI after applying
the sasl-regexp rules. So whenever one needs to write
saslAuthz{To|From} values, "dn:" froms can be used with
much more expressivity insetad of "u:" forms.
I can leave it in place for completeness (I need to check
if there's any chance of infinite loops, though)
but we should not incourage their use.
And, we need to clarify if we want to allow the
"u:<username>" form, which, to be expanded to sasl form,
needs some info that is not available (mech, realm and so)
or directly in th more expressive sasl form
"u:uid=<username>[,cn=<realm>][,cn=mech],cn=auth"
to summarize:
- "u:<username>" is impossible, we need to know mech and realm
- "u:<sasl name>" is possible; it is run thru sasl-regexp
to compute the DN and then compared to the asserted DN
Comments are welcome.
Ando.
--
Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c. http://www.sys-net.it
+----------------------------------------------------------------------------+
| SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497 |
+----------------------------------------------------------------------------+