Re: authz-regexp without SASL

[Hallvard B Furuseth <h.b.furuseth@usit.uio.no>]

Kurt D. Zeilenga writes:
>At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote:
>> authz-regexp (OpenLDAP 2.3) seems to only work for SASL.
>> I note it was called sasl-regexp before.
>
> Yes, because it was originally just for mapping SASL authorization
> identities.  Now it can map some additional authorization
> identities, such when using the proxied authorization control.
>
>> Will it be changed to work for Simple Bind?
>
> Well, it could be changed to map the authenticated
> identity, which normally becomes the authorization
> identity, to some other authorization identity.
> One likely could do that with an overlay.

OK.  But then the doc should be changed to say when authz-regexp
is used.  The current doc gives the impression that it always is.


>>   authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no"
>> does not let anyone log in with my password and access:-)
>
> Wouldn't this mean that any authenticated user would be act
> as "uid=hbf,cn=people,dc=uio,dc=no" authorization identity?

Ah.  I got confused by "Used by the authentication framework" in
the doc.  Maybe that should be "by the authorization framework"?
And "...convert *authenticated* user names ...".

-- 
Hallvard
Don't anthropomorphize computers. They hate that.