[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: commit: ldap/tests/scripts test028-idassert conf.sh defines.sh
At 08:39 AM 6/19/2004, Pierangelo Masarati wrote:
>Kurt D. Zeilenga wrote:
>
>>At 06:14 AM 6/19/2004, Pierangelo Masarati wrote:
>>
>>
>>>ando@OpenLDAP.org wrote:
>>>
>>>
>>>
>>>>Added Files:
>>>> test028-idassert NONE -> 1.1
>>>>
>>>>
>>>I just found out that native SASL authz doesn't work with CRAM-MD5,
>>>i.e. the bound identity remains that of the incoming authcDN;
>>>with DIGEST-MD5 the bound identity is turned into that of the authzDN
>>>specified via SASL. I'm not sso familiar with SASL details, but I thought
>>>the authz did not depend on the specific mech.
>>>
>>
>>Not all SASL mechanisms support proxy authorization...
>>
>I guessed something like that, and I was going to look for a means to detect
>what mechs support it, because the idassert code currently assumes that when
>configured to use SASL method authz will be done natively by SASL.
I suggest you just hardcode it for DIGEST-MD5 (and skip if
not available). Maybe support PLAIN as well (but you'll
have to configure both client & server to allow it without
TLS.