[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: commit: ldap/servers/slapd/back-ldap back-ldap.h bind.c



> At 09:18 AM 6/19/2004, ando@OpenLDAP.org wrote:
>>Log Message:
>>allow a hidden parameter to instruct the proxy that the SASL mech can do
>> native authz; will disappear as soon as I can detect it automnatically
>
> Hmmm... I don't think slapd(8) should be coded with this
> kind of knowledge.  If the user configures back-ldap
> to use SASL proxy authorization, the user should configure
> back-ldap to use a SASL mechanism which supports
> proxy authorization.  If the user fails to do this, that's
> his problem.

Well, currently the code can do proxy authorization in two ways:
1) by adding a proxyAuthz control to all operations
2) by using the native SASL authorization at SASL bind

option (2) is preferable, but works only for those mechs that allow it;
option (1) works for all.

At present, DIGEST-MD5 is the only mech I'm 100% sure it can use option
(2), that's why it's hardcoded.  For all other SASL mechs, the
administrator can instruct the proxy to use native authz, if the
administrator knows the mech [s]he is selecting is able to do it.
The default, if nothing is provided by the user and DIGEST-MD5 is not
used, is to resort to option (1).  Is this reasonable?

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497