Emmanuel Lecharny wrote:
Hi guys,
there is something puzzling me with the currrent SASL implementation we
have. SASL can be used to allow a user to authenticate into ADS even if
it is not defined and known by ADS. This is done through the EXTERNAL
mechanism. That's all good.
But now, my question is : how do we handle the authorization for an
externally authenticated user ? Currently the ACDFs are evaluated
considering that a user is described by a DN, which won't be the case
for the EXTERNAL mechanism.
I would suggest that we define a virtual partition for such external
users, where the user is defined as :
cn=<user external name>, dc=external-user, ou=system, otherwise, I
think we have to modify the whole authz mechanism.
Did I missed something? thoughts ?
PS : NTLM is currently defined as a standard mechanism, but can also be
defined as External. There is currently _no_ documentation on the NTLM
SASL mechanism available... We will keep the NTLM mechanism as not
external atm, even if the authentication is done externally. It may
evolves later
For what it's worth, OpenLDAP always constructs DNs of the form
uid=foo,cn=<realm>,cn=<mech>,cn=auth
for SASL authentications. Then using a separate authz-regexp config you can
configure mappings from this form to whatever naming scheme your DIT actually
uses. For EXTERNAL with X.509 certificats, we start with the actual
certificate Subject DN, and also pass it thru the mapper. In practice, a
well-run PKI should be issuing DNs that exactly correspond to their user's
LDAP DN, but it seems very few real world PKI deployments are "well-run" ...
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
