[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind using credentials from another directory server



François Beretti wrote:
how does the authorization system work when using such an overlay ? can one write acl giving access to a user dn not in the directory ?

Yes of course. Any valid DN (i.e., a DN that conforms to the schema) can be specified in an ACL, regardless of whether that DN corresponds to an entry residing in the current server. Otherwise distributed authentication and authorization would be impossible.


Note that SASL is already an example of this fact - SASL IDs don't have to exist in the directory, but if SASL says they are authenticated then we allow their use. Once an identity has been authenticated, by whatever means, it is valid.

2007/2/2, Howard Chu <hyc@symas.com <mailto:hyc@symas.com>>:

In general, unless you actually need to perform all of the functions
of a
backend, you can usually get by with something much smaller - like
an overlay
that only intercepts Bind operations, or a password hash module in
this case.

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/