https://bugs.openldap.org/show_bug.cgi?id=9256
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- On Mon, May 04, 2020 at 11:14:41PM +0000, openldap-its@openldap.org wrote:
Created attachment 727 --> https://bugs.openldap.org/attachment.cgi?id=727&action=edit Patch massaging the SASL binding requirement docs
While some ACL requirements for SASL binding are documented, some are not. E.g, that olcAuthzRegexp requires =x on objectClass when direct DN mapping is not documented. Other requirements can be reasoned out based on the existing documentation, but this can be very difficult when unfamiliar with all the moving parts and the places they are documented. E.g. knowing that (objectClass=*) is the default filter, and that there's _always_ _some_ filter, and connecting this with ACLs required to do search-based SASL mapping.
The attached patch brings all the SASL binding requirements together in one place in the docs and makes everything explicit. The word "SASL" is included, for those searching for that keyword.
Hi Karl, thanks for taking the time to improve the documentation. I have a few notes:
"depending on the SASL mechanism in use." why not say something like "if authz-regexp remapping is in place".
Maybe keep the slapd.conf->cn=config changes to a separate commit.
In the paragraph "Some internal operations..." not sure such sweeping changes are really needed, maybe just saying the default filter equals to objectclass=* if not specified would simplify and clarify that part?
Regards,