--On Friday, October 07, 2005 12:27 PM -0700 "Kurt D. Zeilenga" <[EMAIL PROTECTED]> wrote:
A number of SASL mechanisms, including DIGEST-MD5 (LDAP's mandatory-to-implement "strong" authentication mechanism), CRAM-MD5, and PLAIN, support authentication identities in the form of a simple user name. OpenLDAP Software supports these mechanisms through Cyrus SASL. And, yes, you can map simple user names to DNs. See authz-regex in slapd.conf(5). Note, however, you cannot use a simple user name as the LDAP simple bind name as this is required to be an LDAP DN.
And of course, I'm not aware of a single email client that supports SASL binds (they all live in the LDAP V2 world). I have open bugs about this against a number of email client software providers (Qualcomm, Apple, Mozilla).
Personally, I'd suggest some level of visibility controls on your data, with which you can then allow anonymous binds to read "world" data. We do this at Stanford, and email clients at this time can only access world data due to the limitations of their bind methods. If the clients are ever updated to use SASL, then they'll be able to get to Stanford views.
--Quanah -- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html "These censorship operations against schools and libraries are stronger than ever in the present religio-political climate. They often focus on fantasy and sf books, which foster that deadly enemy to bigotry and blind faith, the imagination." -- Ursula K. Le Guin
