[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Section for admin guide on DIGEST-MD5

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: Section for admin guide on DIGEST-MD5
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Tue, 16 Jul 2002 13:07:30 +0100
Cc: openldap-devel@OpenLDAP.org
Content-disposition: inline
In-reply-to: <NMEFLNHODBAOPDKNNJALCENJDEAA.hyc@highlandsun.com>
References: <20020715180602.GA2028@brick.skills-1st.co.uk> <NMEFLNHODBAOPDKNNJALCENJDEAA.hyc@highlandsun.com>
User-agent: Mutt/1.3.27i

On Mon, Jul 15, 2002 at 01:09:41PM -0700, Howard Chu wrote:
> 
> > The example from the existing admin guide uses a regex:
> >
> > 	uid=(.*),.*cn=auth
> >
> > which risks assigning more than just the uid to the search. Debugging
> > such an error is hard, as the necessary information does not appear in
> > the logs unless trace logging is on.
> 
> This example could be changed to
> 	uid=(.*),cn=.*,cn=auth

I would prefer:
	uid=([^,]),cn=.*,cn=auth

but that currently fails to parse.

> but I'm not sure I like such a lenient example being there in the first
> place.
> The text warns about using such a loose rule, and I would hope no one
> actually
> uses them.
> 
> The text you offer rolls sasl-regexp description into the DIGEST-MD5 section,
> but sasl-regexp is not specific to that mechanism. This layout is misleading.

True - I was trying to contain my additions to one section. I have
abandoned that, moved the sasl-regexp eamples down where they belong,
and submitted a diff through the ITS (ITS#1958).

> "saslRegexp" is a valid keyword but I prefer that "sasl-regexp" be used in
> the guide
> to keep it consistent with the other sasl config keywords.

OK - I had based that on the online web page version. Now consistent
with the rest of the CVS version.

> Any example that employs non-default realms really should provide some
> motivation
> for using a non-default realm. It makes little sense to configure SASL with
> more
> than one realm if all of the users in both realms come out of an identical
> LDAP
> namespace. Certainly that is not how things would behave if you were still
> using
> sasldb. I would prefer an example where the non-default realm is mapped to a
> separate DN subtree, distinct from the default case.

Good point. I have changed the example to show such a case.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|        Andrew.Findlay@skills-1st.co.uk       +44 1628 782565        |
-----------------------------------------------------------------------

References:
- Re: Section for admin guide on DIGEST-MD5
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- RE: Section for admin guide on DIGEST-MD5
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: problem with blocking ldap_bind
Next by Date: RE: EBCDIC
Index(es):
- Chronological
- Thread