Menu
▾
▴
Re: Authorization with Authen::SASL::Perl::External
|
From: Graham B. <gb...@po...> - 2002-05-08 16:59:33
|
You can add user => sub { '' } into the argument to SASL->new
This is unfortunate historic mistake that should be deprecated
Graham.
On Wed, May 08, 2002 at 09:25:00AM -0700, Kurt D. Zeilenga wrote:
> At 08:30 AM 2002-05-08, Norbert Klasen wrote:
>
>
> >--On Dienstag, 7. Mai 2002 13:38 +0100 Graham Barr <gb...@po...> wrote:
> >
> >>The reason it was using user, was for compatability with previous SASL
> >>implementation.
> >
> >How am I supposed to call Authen::SASL->new and Net::LDAP->bind if I don't want to do proxy auth (ie. not specify an authorization identity with the user callback)?
> >
> >I'm asking this because in Net/LDAP.pm line 242 "user" defaults to
> >'dn: <DN>', where <DN> is the first parameter to NET::LDAP::bind():
> > # Tell the SASL object our user identifier
> > $sasl->callback( user => "dn: $stash{name}")
> > unless $sasl->callback('user');
>
> that's bad. The bind name, SASL authentication identity
> (where applicable), and SASL authorization identity (where
> applicable and desired) should be provided separately
> by the application. It is inappropriate for the API to
> assume any particular relationship between them.
>
> I note as well, that "dn: cn=foo" is an invalid LDAP
> authzid. There should be no space after the ":".
>
> >BTW how is a server to respond, if it receives different authCids in the name and credentials component of a bind request?
>
> Generally speaking, when SASL is being used, the clients should
> not provide a bind name and server should ignore the bind name
> if present. RFC 2829 wasn't exactly clear on this, but the
> LDAPbis revised specification (a work in progress) should be.
>
|
