From: Kurt D. Z. <Kurt@OpenLDAP.org> - 2002-05-08 16:25:12
|
At 08:30 AM 2002-05-08, Norbert Klasen wrote: >--On Dienstag, 7. Mai 2002 13:38 +0100 Graham Barr <gb...@po...> wrote: > >>The reason it was using user, was for compatability with previous SASL >>implementation. > >How am I supposed to call Authen::SASL->new and Net::LDAP->bind if I don't want to do proxy auth (ie. not specify an authorization identity with the user callback)? > >I'm asking this because in Net/LDAP.pm line 242 "user" defaults to >'dn: <DN>', where <DN> is the first parameter to NET::LDAP::bind(): > # Tell the SASL object our user identifier > $sasl->callback( user => "dn: $stash{name}") > unless $sasl->callback('user'); that's bad. The bind name, SASL authentication identity (where applicable), and SASL authorization identity (where applicable and desired) should be provided separately by the application. It is inappropriate for the API to assume any particular relationship between them. I note as well, that "dn: cn=foo" is an invalid LDAP authzid. There should be no space after the ":". >BTW how is a server to respond, if it receives different authCids in the name and credentials component of a bind request? Generally speaking, when SASL is being used, the clients should not provide a bind name and server should ignore the bind name if present. RFC 2829 wasn't exactly clear on this, but the LDAPbis revised specification (a work in progress) should be. |