Wesley Craig wrote:
On 31 May 2008, at 17:25, Igor Brezac wrote:
Wesley Craig wrote:
On 31 May 2008, at 00:06, Igor Brezac wrote:
sasl used to be required for ldap proxy authz, but I do not think
this is the case any more. I suggested that both ldap_sasl and
ldap_proxy_authz do the same thing.
Perhaps I misunderstand you. Since SASL authN and proxy authZ are
more or less completely orthogonal, why would you have them do the
same thing? I propose that ldap_sasl control the way bind is done.
And ldap_proxy_authz is used to control how user DNs are obtained.
Your patch breaks existing configurations, we usually try to preserve
configuration compatibility when possible. Otherwise I am fine with
your approach. Maybe automatically set ldap_proxy_authz to true when
ldap_sasl is turned on and when ldap_proxy_authz is not explicitly
specified in the config?
Well, that's an issue. We could make ldap_proxy_authz tri-valued:
legacy, on, and off. Legacy would be the default and would revert to
the old behavior. Of course, that means that it wouldn't support
imapd.conf's typical 0/1, on/off, t/f "switch" syntax.
vritdomains is tri-valued, so I wouldn't have a problem with your proposal.
--
Kenneth Murchison
Systems Programmer
Project Cyrus Developer/Maintainer
Carnegie Mellon University
