Menu
▾
▴
Re: Authorization with Authen::SASL::Perl::External
|
From: Kurt D. Z. <Kurt@OpenLDAP.org> - 2002-05-08 16:25:12
|
At 08:30 AM 2002-05-08, Norbert Klasen wrote:
>--On Dienstag, 7. Mai 2002 13:38 +0100 Graham Barr <gb...@po...> wrote:
>
>>The reason it was using user, was for compatability with previous SASL
>>implementation.
>
>How am I supposed to call Authen::SASL->new and Net::LDAP->bind if I don't want to do proxy auth (ie. not specify an authorization identity with the user callback)?
>
>I'm asking this because in Net/LDAP.pm line 242 "user" defaults to
>'dn: <DN>', where <DN> is the first parameter to NET::LDAP::bind():
> # Tell the SASL object our user identifier
> $sasl->callback( user => "dn: $stash{name}")
> unless $sasl->callback('user');
that's bad. The bind name, SASL authentication identity
(where applicable), and SASL authorization identity (where
applicable and desired) should be provided separately
by the application. It is inappropriate for the API to
assume any particular relationship between them.
I note as well, that "dn: cn=foo" is an invalid LDAP
authzid. There should be no space after the ":".
>BTW how is a server to respond, if it receives different authCids in the name and credentials component of a bind request?
Generally speaking, when SASL is being used, the clients should
not provide a bind name and server should ignore the bind name
if present. RFC 2829 wasn't exactly clear on this, but the
LDAPbis revised specification (a work in progress) should be.
|