On 28/1/04 10:55 pm, Kurt D. Zeilenga <[EMAIL PROTECTED]> wrote:
> At 07:52 AM 1/20/2004, Chris Ridd wrote:
>> I note that when using SASL, Net::LDAP's bind method automatically sets the
>> user field to something:
>>
>> my $sasl = $passwd;
>> # Tell the SASL object our user identifier
>> $sasl->callback( user => "dn: $stash{name}")
>> unless $sasl->callback('user');
>>
>> We're using SASL EXTERNAL. With this mechanism the authentication id comes
>> from the client's cert, and the optional sasl->credentials field contains
>> the authorization id. I'm not sure where all this is defined :-)
>>
>> Because Net::LDAP's setting the authz id to something ("dn: "), this causes
>> a bind failure. (The user isn't allowed to authorize as someone else.)
>>
>> Setting the sasl->credentials seems wrong to me in this case. What do other
>> people think who are using EXTERNAL? Is the best place to fix this (if it is
>> a bug) in EXTERNAL.pm?
>
> My thoughts on this are:
>
> Unless the user wishes to assume the identity of another
> user, no authzid should be specified. The server will do
> the right thing.
I agree.
> It would be incorrect for the client itself to attempt to
> derive an authzid from what it thinks the authcid is because
> 1) it may not know the precise authcid used by the server
> (EXTERNAL is not necessarily tied to TLS, could be tied to
> something else.) and 2) the client reliably mimic the
> server's authcid->authzid mapping behavior without a priori
> knowledge. That is, whatever the client does on its own
> will likely be the wrong thing.
Agreed.
It looks like this needs fixing in EXTERNAL.pm. (If user is set in the
callback, delete/ignore it.)
> BTW, there should space after "dn:". See RFC 2829.
^ be no
OK, that's a second bug.
Cheers,
Chris
