[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp without SASL



At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>I note it was called sasl-regexp before. 

Yes, because it was originally just for mapping SASL
authorization identities.  Now it can map some additional
authorization identities, such when using the proxied
authorization control.

>Will it be changed
>to work for Simple Bind?

Well, it could be changed to map the authenticated
identity, which normally becomes the authorization
identity, to some other authorization identity.
One likely could do that with an overlay.

>Its manpage section says it should
>work in general, though it mostly talks about SASL.
>E.g.
>  authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>does not let anyone log in with my password and access:-)

Wouldn't this mean that any authenticated user would be
act as "uid=hbf,cn=people,dc=uio,dc=no" authorization
identity?

Kurt


>-- 
>Hallvard
>Don't anthropomorphize computers. They hate that.