[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Verify Credentials operation

> On Jan 3, 2011, at 7:04 PM, Kurt Zeilenga wrote:
>>> I note that you moved authzid retrieval to RFC 3829 authzid control.
>> Yeah, figured I might as well use it here.
>>> Are you going to implement its support server-side?  Otherwise I might
>>> have
>>> time to look at it, maybe not immediately.
>> I have no plans to implement this in slapd(8).  Might be a good starter
>> project for someone.
> I also have no plans to implement the general support for this control in
> the client side.  We use LDAP Who Am I? in the general case.

Quick comment (don't want to interfere too much with your development): in
ldapvc.c you added -a (authzid) and -b (ppolicy) switch.

Client-wise they are currently available as -e [!]bauthzid, -e ppolicy.

VC exop-wise controls could be grouped similarly, e.g. with a -a
[!]<name>[=<value>] switch, to avoid quickly running out of switches.

Moreover, since some of these controls only apply at bind, some only apply
during the specific operation(s) that client is supposed to do, some
always apply, we could move control parsing and creation to separate
helpers/switches, or add an optional field that indicates when the control
is supposed to be used.  This way, the -e switch could also be used to
indicate control specific for the vc operation.  Something like

   -e [!][<when>:]<name>[=<value>]

    <when> ::= {xadmrwcsre}+
    x ; bind
    a ; add
    d ; delete
    m ; modify
    r ; nename
    w ; "write": same as "admn"
    c ; compare
    s ; search
    r ; "read": same as "cs"
    b ; unbind
    u ; unbind
    e ; exop
        C ; cancel
        P ; passmod
        V ; vc
        W ; whoami

If no specifier is given, the same control is used for all operations it
applies to.  So ldapvc could use, for example

    -e !xV:bauthzid -e V:ppolicy -e xV:sessiontracking

to use authzid and session tracking for bind, and authzid, ppolicy and
session tracking for vc.