François Beretti wrote:
how does the authorization system work when using such an overlay ? can one write acl giving access to a user dn not in the directory ?
Yes of course. Any valid DN (i.e., a DN that conforms to the schema) can be specified in an ACL, regardless of whether that DN corresponds to an entry residing in the current server. Otherwise distributed authentication and authorization would be impossible.
Note that SASL is already an example of this fact - SASL IDs don't have to exist in the directory, but if SASL says they are authenticated then we allow their use. Once an identity has been authenticated, by whatever means, it is valid.
2007/2/2, Howard Chu <hyc@symas.com mailto:hyc@symas.com>:
In general, unless you actually need to perform all of the functions of a backend, you can usually get by with something much smaller - like an overlay that only intercepts Bind operations, or a password hash module in this case.