Re: commit: ldap/doc/man/man5 slapd-ldap.5

["Pierangelo Masarati" <ando@sys-net.it>]

> Some suggestions...
>
> Start TLS?
> SASL Bind (for both bind and proxy authcid)
>   with authzid assertion (at SASL Bind time) for both
>
> idassert-mode <dn> should likely be idassert-mode <authzid>.
> That is, either dn:uid=foo,dc=example,dc=com or u:foo should be
> allowed.

Right.

>
> I think modes are confusing.  I suggest:
>         none - no proxy authz control
>         user (or self) - proxy authz control with client's authz
>         anonymous - anonymous proxy authz control
>                 (same as <authz> with "")
>         <authz> - as specified
>
> (I don't see what your fifth choice is for.)

Sure.  My concern is that the "proxyauthzdn" stuff was already in there
for multiple glued instances of back-ldap to cooperate by propagating the
client's identity if required, and I didn't want to break that too much. 
I'll probably converge to your suggestion as soon as I can implement
exactly that functionality within any of the idassert-modes (it's
essentially a matter of deciding in what case the client's id should be
asserted by the proxy, or let thru with a direct bind).

So my "none" should become "legacy" until I work this out,
and my "proxyid" should become "none"...

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497