Pierangelo Masarati wrote:
Simon Gao wrote:
I am making some progress on this. Following example test014, I am able to get sasl bind working.
I still have two questions.
1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode on each individual line, then sasl binding does not work. They all must be on the same one line. Any reason why multiple line works for simple bind, but not for sasl binding? The inconsistency will cause more efforts in troubleshooting.
This should not be true. I suspect you're doing something weird with leading blanks in continuation lines, since the configuration parser sees each statement as a single line anyway, after gluing multiple lines by replacing continuation indentation with a single blank. If you intend to submit an example of your configuration, please attach it to the message (if small) or make it available for public download. Cut'n'paste could mess up critical portions of the message, like lining and whitespace.
This was indeed extra space problem. After removing extra space, it works fine.
2)Is it possible to add authzTo/authzFrom at "ou=people,dc=example,dc=com" level and all the child entry be proxy authenticated?
I'm not aware of any feature like that. In any case, it should be of very limited help in chaining, since the rationale behind chaining is that users that cannot autonomously authenticate on a remote DSA get authorized by some special identity that has authorization privileges. SO all you need is authzTo in the special identity's entry, while in general the identity that's being authorized does not necessarily reside in the DSA.
authzTo worked fine with an proxy entry.
Thanks.
Simon