[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz{To|From}

Pierangelo Masarati wrote:
now supports IDs in the form



- exact is trivial
- subtree means exact or children
- children means children but not exact
- regex uses regcomp/regexec to test

An unqualified ID of the form "dn:" is now
treated as exact.  I suggest using saslauthz.c 1.100
for the next releases, and move to 1.101 carefully
because this last change could break some configuration,
so be warned ...

IDs in the form "u:" are coming ...

I'm playing with "u:" form IDs, but they don't seem to be of much use; in fact, if a user in this form is found, it must be trnsformed in "dn:" form via slap_sasl2dn, which uses sal_parseURI after applying the sasl-regexp rules. So whenever one needs to write saslAuthz{To|From} values, "dn:" froms can be used with much more expressivity insetad of "u:" forms.

I can leave it in place for completeness (I need to check
if there's any chance of infinite loops, though)
but we should not incourage their use.

And, we need to clarify if we want to allow the
"u:<username>" form, which, to be expanded to sasl form,
needs some info that is not available (mech, realm and so)
or directly in th more expressive sasl form

to summarize:
- "u:<username>" is impossible, we need to know mech and realm
- "u:<sasl name>" is possible; it is run thru sasl-regexp
  to compute the DN and then compared to the asserted DN

Comments are welcome.


Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax:+390382476497    |