Emmanuel Lecharny wrote:
> Hi guys,
>
> there is something puzzling me with the currrent SASL implementation we
> have. SASL can be used to allow a user to authenticate into ADS even if
> it is not defined and known by ADS. This is done through the EXTERNAL
> mechanism. That's all good.
>
> But now, my question is : how do we handle the authorization for an
> externally authenticated user ? Currently the ACDFs are evaluated
> considering that a user is described by a DN, which won't be the case
> for the EXTERNAL mechanism.
>
> I would suggest that we define a virtual partition for such external
> users, where the user is defined as :
>   cn=<user external name>, dc=external-user, ou=system, otherwise, I
> think we have to modify the whole authz mechanism.
>
> Did I missed something? thoughts ?
>
> PS : NTLM is currently defined as a standard mechanism, but can also be
> defined as External. There is currently _no_ documentation on the NTLM
> SASL mechanism available... We will keep the NTLM mechanism as not
> external atm, even if the authentication is done externally. It may
> evolves later
>
For what it's worth, OpenLDAP always constructs DNs of the form
	uid=foo,cn=<realm>,cn=<mech>,cn=auth
for SASL authentications. Then using a separate authz-regexp config you can 
configure mappings from this form to whatever naming scheme your DIT actually 
uses. For EXTERNAL with X.509 certificats, we start with the actual 
certificate Subject DN, and also pass it thru the mapper. In practice, a 
well-run PKI should be issuing DNs that exactly correspond to their user's 
LDAP DN, but it seems very few real world PKI deployments are "well-run" ...

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/