[Date Prev][Date Next] [Chronological] [Thread] [Top]

VC exop and LDAPWhoAmI?

To: openldap-devel@openldap.org
Subject: VC exop and LDAPWhoAmI?
From: Ondřej Kuzník <ondra@mistotebe.net>
Date: Fri, 24 Nov 2017 13:16:47 +0100
Content-disposition: inline
User-agent: Mutt/1.5.23 (2014-03-12)

Trying to get SASL bind support into the Load Balancer now and a bit
stuck when it comes to figuring out what the resulting authorisation
identity is (SASL or LDAP say it's backend specific) for use with the
proxyauthz control.

Passing the binds on is the simple one, we can just send an LDAPWhoAmI
after a successful result and we're set.

If the backends support the VC extended operation, we want to use that,
since that doesn't necessarily tie up a connection for each active bind.
In that case, there is no way to get the authzId out.

What is the best way to amend the VC spec?

I would think adding another optional boolean field "return authzid"
might be preferable. Setting it would have the server return a new field
in the response containing the authorisation identity (maybe letting the
server return it anyway, but that mightn't do good things to backward
compatibility).

A new control might be another option, that control could then be
attached to bind requests as well I guess to obviate the need to send
LDAPWhoAmI afterwards.

This might be of use for applications that have a similar usecase: use
VC Exop and then attach the proxyauthz control to operations performed
on each of its client's behalf.

-- 
Ondřej Kuzník
Senior Software Engineer
Symas Corporation                       http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP

Prev by Date: Re: ACL checks and slapo-unique
Next by Date: Approaches to ITS#8772
Index(es):
- Chronological
- Thread