----- "Konstantinos Koukopoulos" kouk+Lists.openldap@noc.uoa.gr wrote:
On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
Yes, it is a known issue. When slapo-rwm was first designed,
however, it
could only be stacked on top of a database, so it would have been
bypassed
by SASL bind anyway.
Would that still be the case if internal auxprop authentication was used? In that case I think that a SASL bind would result in an internal search op being performed. The problem then on the slapo-rwm level is how to distinguish between the search performed in order to complete the SASL bind and other searches.
However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly
modifying
the authz-regexp in the first place.
The downside of using authz-regexp is that it seems you cannot assign a variable with the '${&&name(value)}' syntax and make it available to the other rewrite contexts using '${**name}'. If authz-regexp was somehow
integrated with slapo-rwm then there wouldn't be a problem.
Well, authz-regexp uses exactly the same utility of slapo-rwm. However, the two rewrites belong to independent sessions. Probably, slapd should allow cross-session variable population to yield the capability you're looking for. This requires some work at the librewrite level. Please file an ITS for a feature request in this sense.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------