Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 37954 invoked from network); 6 Aug 2008 12:26:32 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Aug 2008 12:26:32 -0000 Received: (qmail 8994 invoked by uid 500); 6 Aug 2008 12:26:31 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 8960 invoked by uid 500); 6 Aug 2008 12:26:31 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 8949 invoked by uid 99); 6 Aug 2008 12:26:31 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Aug 2008 05:26:31 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [64.71.152.235] (HELO lirone.symas.net) (64.71.152.235) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Aug 2008 12:25:33 +0000 Received: from [76.91.220.157] (helo=[192.168.1.21]) by lirone.symas.net with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1KQi5X-000161-M1 for dev@directory.apache.org; Wed, 06 Aug 2008 05:25:59 -0700 Message-ID: <48999830.6010508@symas.com> Date: Wed, 06 Aug 2008 05:25:20 -0700 From: Howard Chu User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.0.1pre) Gecko/2008062211 SeaMonkey/2.0a1pre MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: [SASL][external authent] How do we manage authz for an externally authenticated user ? References: <48995EB4.9010708@gmail.com> In-Reply-To: <48995EB4.9010708@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Emmanuel Lecharny wrote: > Hi guys, > > there is something puzzling me with the currrent SASL implementation we > have. SASL can be used to allow a user to authenticate into ADS even if > it is not defined and known by ADS. This is done through the EXTERNAL > mechanism. That's all good. > > But now, my question is : how do we handle the authorization for an > externally authenticated user ? Currently the ACDFs are evaluated > considering that a user is described by a DN, which won't be the case > for the EXTERNAL mechanism. > > I would suggest that we define a virtual partition for such external > users, where the user is defined as : > cn=, dc=external-user, ou=system, otherwise, I > think we have to modify the whole authz mechanism. > > Did I missed something? thoughts ? > > PS : NTLM is currently defined as a standard mechanism, but can also be > defined as External. There is currently _no_ documentation on the NTLM > SASL mechanism available... We will keep the NTLM mechanism as not > external atm, even if the authentication is done externally. It may > evolves later > For what it's worth, OpenLDAP always constructs DNs of the form uid=foo,cn=,cn=,cn=auth for SASL authentications. Then using a separate authz-regexp config you can configure mappings from this form to whatever naming scheme your DIT actually uses. For EXTERNAL with X.509 certificats, we start with the actual certificate Subject DN, and also pass it thru the mapper. In practice, a well-run PKI should be issuing DNs that exactly correspond to their user's LDAP DN, but it seems very few real world PKI deployments are "well-run" ... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/