Re: rwm and sasl authz

[Pierangelo Masarati <ando@sys-net.it>]

----- "Konstantinos Koukopoulos" <kouk+Lists.openldap@noc.uoa.gr> wrote:

> On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
> > Yes, it is a known issue.  When slapo-rwm was first designed,
> however, it
> > could only be stacked on top of a database, so it would have been
> bypassed
> > by SASL bind anyway.  
> 
> Would that still be the case if internal auxprop authentication was
> used? In 
> that case I think that a SASL bind would result in an internal search
> op 
> being performed. The problem then on the slapo-rwm level is how to 
> distinguish between the search performed in order to complete the SASL
> bind 
> and other searches.
> 
> > However, it is not clear (to me) why one should 
> > rewrite a DN resulting from a authz-regexp instead of directly
> modifying
> > the authz-regexp in the first place.
> 
> The downside of using authz-regexp is that it seems you cannot assign
> a 
> variable with the '${&&name(value)}' syntax and make it available to
> the 
> other rewrite contexts using '${**name}'. If authz-regexp was somehow
> 
> integrated with slapo-rwm then there wouldn't be a problem.

Well, authz-regexp uses exactly the same utility of slapo-rwm.  However, the two rewrites belong to independent sessions.  Probably, slapd should allow cross-session variable population to yield the capability you're looking for.  This requires some work at the librewrite level.  Please file an ITS for a feature request in this sense.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------