--On Friday, January 06, 2017 7:17 PM +0000 rick@openfortress.nl wrote:

Full_Name: Rick van Rein Version: 2.4 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:980:93a5:1:98ff:3cc8:e968:ded8)

Hello,

I found a nit in the OpenLDAP administrator's guide at http://www.openldap.org/doc/admin24/guide.html#SASL%20Proxy%20Authorizati on

It mentions Proxy Authorization as a facility of SASL, something I never heard of. It is defined specifically for LDAP in RFC 4370. So the chapter title, and perhaps its ordering underneath SASL, are not perfect.

Hi Rick,

Thanks for the report. However, the EXTERNAL mechanism is in fact a SASL mechanism, just implemented directly in OpenLDAP (vs other SASL mechanisms that OpenLDAP supports via Cyrus-SASL). The location in the admin guide is correct. If you read RFC 4370, Section 1 clearly notes that it is a part of SASL:

"The Lightweight Directory Access Protocol [LDAPV3] supports the use of the Simple Authentication and Security Layer [SASL] for authentication and for supplying an authorization identity distinct from the authentication identity, where the authorization identity applies to the whole LDAP session."

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com