----- "Konstantinos Koukopoulos" <[EMAIL PROTECTED]> wrote:
> Hello, > I was wondering if it is a known issue that when using sasl > authorization > combined with the rewrite module, one doesn't have access to either > the > binddn or the authz dn. The rewrite context bindDN is only called when > the > client supplies a DN in the simple-bind fashion (-D when using > ldapsearch). > > But if one uses a sasl mechanism (in order to use proxy auth for > example) then > the binding will happen with the result of the authz-regexp rewrite > but this > is not in a context of slapo-rwm, whose bindDN context sees whatever, > if any, > arbitrary bind DN the request contained (for example through -D). > > Additionally there is no context regarding the authorization DN, which > is > pretty much a necessity if you plan on using authFrom and have > remapped the > dit. Yes, it is a known issue. When slapo-rwm was first designed, however, it could only be stacked on top of a database, so it would have been bypassed by SASL bind anyway. However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly modifying the authz-regexp in the first place. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: [EMAIL PROTECTED] -----------------------------------
