At 09:01 AM 7/2/2005, Hallvard B Furuseth wrote: >Kurt D. Zeilenga writes: >>At 01:57 PM 7/1/2005, Hallvard B Furuseth wrote: >>> authz-regexp (OpenLDAP 2.3) seems to only work for SASL. >>> I note it was called sasl-regexp before. >> >> Yes, because it was originally just for mapping SASL authorization >> identities. Now it can map some additional authorization >> identities, such when using the proxied authorization control. >> >>> Will it be changed to work for Simple Bind? >> >> Well, it could be changed to map the authenticated >> identity, which normally becomes the authorization >> identity, to some other authorization identity. >> One likely could do that with an overlay. > >OK. But then the doc should be changed to say when authz-regexp >is used. The current doc gives the impression that it always is.
Personally, I have no problem with apply authzid-regexp to the authenticated (*) simple bind DN here. This, in some odd way, make the feature more symetric. That is, DNs produced via both SASL bind and simple bind would be mappable. One use I can see is where one has one backend providing authentication information and one backend providing the user's person object and one wants to use the DN of the person object as the authorization identity. (* mapping the the simple bind DN prior to authentication should be done via other means) >>> authz-regexp "^.*" "uid=hbf,cn=people,dc=uio,dc=no" >>> does not let anyone log in with my password and access:-) >> >> Wouldn't this mean that any authenticated user would be act >> as "uid=hbf,cn=people,dc=uio,dc=no" authorization identity? > >Ah. I got confused by "Used by the authentication framework" in >the doc. Maybe that should be "by the authorization framework"? I think the authentication framework as encompassing establishment of the identity to use in authorization decisions. While these decisions take place within an authorization framework, mapping of authentication identities to authorization identities takes place within the authentication framework. There might be some confusion by the use of the word "simple" in "simple user names". It's not intended to refer to simple bind user names but to user names of uAuthzid's userid form [RFC2829] (after they have been mapped into a DN). But I agree that the text needs some work... Kurt
