----- "Konstantinos Koukopoulos" kouk+Lists.openldap@noc.uoa.gr wrote:
Hello, I was wondering if it is a known issue that when using sasl authorization combined with the rewrite module, one doesn't have access to either the binddn or the authz dn. The rewrite context bindDN is only called when the client supplies a DN in the simple-bind fashion (-D when using ldapsearch).
But if one uses a sasl mechanism (in order to use proxy auth for example) then the binding will happen with the result of the authz-regexp rewrite but this is not in a context of slapo-rwm, whose bindDN context sees whatever, if any, arbitrary bind DN the request contained (for example through -D).
Additionally there is no context regarding the authorization DN, which is pretty much a necessity if you plan on using authFrom and have remapped the dit.
Yes, it is a known issue. When slapo-rwm was first designed, however, it could only be stacked on top of a database, so it would have been bypassed by SASL bind anyway. However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly modifying the authz-regexp in the first place.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------