[Date Prev][Date Next] [Chronological] [Thread] [Top]

Making the original authcid available to plugins

To: openldap-devel@OpenLDAP.org
Subject: Making the original authcid available to plugins
From: Luke Howard <lukeh@PADL.COM>
Date: Mon, 15 Sep 2003 23:27:49 +1000
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.4c/makemail 2.9d

A plugin we've developed needs access to the original authentication
identity, because certain operations are handled differently if they
come from a trusted entity acting on behalf of a user (for example,
a replica proxying a password change) rather than the user itself.

At present we're using the rather ugly hack of retrieving the SASL
context (SLAPI_X_CONN_SASL_CONTEXT), retrieving SASL_AUTHUSER from
that, and then applying analogous rules to the SASL regex transforms
to turn it into a DN.

It would be more efficient (avoiding an extra search, and alignment
of code with SASL authorization policies) if the original authcid,
after mapping to a DN, was not disposed of, and thus could be 
exposed through SLAPI.

Thoughts?

-- Luke

Follow-Ups:
- RE: Making the original authcid available to plugins
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: back-bdb DB_RECOVER and soft restart
Next by Date: RE: Making the original authcid available to plugins
Index(es):
- Chronological
- Thread