[Date Prev][Date Next] [Chronological] [Thread] [Top]

Making the original authcid available to plugins



A plugin we've developed needs access to the original authentication
identity, because certain operations are handled differently if they
come from a trusted entity acting on behalf of a user (for example,
a replica proxying a password change) rather than the user itself.

At present we're using the rather ugly hack of retrieving the SASL
context (SLAPI_X_CONN_SASL_CONTEXT), retrieving SASL_AUTHUSER from
that, and then applying analogous rules to the SASL regex transforms
to turn it into a DN.

It would be more efficient (avoiding an extra search, and alignment
of code with SASL authorization policies) if the original authcid,
after mapping to a DN, was not disposed of, and thus could be 
exposed through SLAPI.

Thoughts?

-- Luke