.I authzFrom
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
-When
-.I bindmethod
-is
-.BR SASL ,
-the
-.I authcDN
-must be specified in addition to the
-.IR authcID ,
-although it is not used within the authentication process.
Flags can be
-\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical,dn\-{authzid|whoami}\fP
When the
.B override
.B proxy\-authz\-critical
is recommended.
+When the
+.B dn\-authzid
+flag is used, RFC 3829 LDAP Authorization Identity Controls
+is used to retrieve the identity associated to the SASL identity;
+when the
+.B dn\-whoami
+flag is used, RFC 4532 LDAP Who am I? Operation is performed
+after the bind for the same purpose.
+
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
if ( BER_BVISNULL( &si->si_bc.sb_binddn ) &&
!(si->si_flags & LDAP_BACK_AUTH_DN_MASK) )
{
- snprintf( c->cr_msg, sizeof( c->cr_msg ),
- "\"%s <args>\": "
- "SASL needs \"binddn\" or either \"dn-authzid\" or \"dn-whoami\" in flags",
- c->argv[0] );
- Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
- return 1;
+ static struct berval authid = BER_BVC("cn=auth");
+ ber_dupbv( &si->si_bc.sb_binddn, &authid );
}
}
break;
default:
+#if 0 /* implicit */
ptr = lutil_strcopy( ptr, ",dn-none" );
+#endif
break;
}
projects / openldap / commitdiff