[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

To: Eric Irrgang <erici@motown.cc.utexas.edu>
Subject: Re: identity assertion
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 21 Jan 2006 01:16:02 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.4.58.0601201610440.28516@grapevine.cc.utexas.edu>
References: <Pine.GSO.4.58.0601191605590.589@grapevine.cc.utexas.edu> <1137713660.3342.72.camel@ando> <Pine.GSO.4.58.0601201108290.28516@grapevine.cc.utexas.edu> <1137791694.3332.19.camel@ando> <Pine.GSO.4.58.0601201610440.28516@grapevine.cc.utexas.edu>

On Fri, 2006-01-20 at 16:16 -0600, Eric Irrgang wrote:

> I already have my target directory set up that way but I don't know how to
> do identity assertion from a regular ldap client without using SASL.  Is
> there a way?  For instance, the following fails with "ldapsearch: not
> compiled with SASL support"
> 
> ldapsearch -x -W -D cn=authorizeduser,dc=test -X cn=config,dc=test

No.  The message seems to indicate that your client doesn't have SASL
compiled in, but in any case the -x prevents it from doing a SASL bind,
so you should use something different.  But, as I said before,
authorization and SASL are orthogonal.  Without mucking with SASL, you
can use:

ldapsearch -x -W -D cn=authorizeduser,dc=test \
        -e '!authzid=dn:cn=config,dc=test'

this causes the tool to use the proxyAuthz control on that operation
(the '!' is because the control MUST be critical).

p.

Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

References:
- identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>
- Re: identity assertion
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>
- Re: identity assertion
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

Prev by Date: Re: Fwd: [ldap] Implementation Suggestions
Next by Date: Re: identity assertion
Index(es):
- Chronological
- Thread