From: Pierangelo Masarati <ando@openldap.org>
Date: Sat, 5 Mar 2011 10:28:04 +0000 (+0000)
Subject: more about ITS#6817
X-Git-Tag: MIGRATION_CVS2GIT~32
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=16a1417a3f908daa89be011f9b6598105aaab200;p=openldap

more about ITS#6817
---

diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5
index 2fec6fe287..fe775db91e 100644
--- a/doc/man/man5/slapd-ldap.5
+++ b/doc/man/man5/slapd-ldap.5
@@ -338,19 +338,10 @@ permissions, or the asserted identities must have appropriate
 .I authzFrom 
 permissions.  Note, however, that the ID assertion feature is mostly 
 useful when the asserted identities do not exist on the remote server.
-When
-.I bindmethod
-is
-.BR SASL ,
-the 
-.I authcDN
-must be specified in addition to the
-.IR authcID ,
-although it is not used within the authentication process.
 
 Flags can be
 
-\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical\fP
+\fBoverride,[non\-]prescriptive,proxy\-authz\-[non\-]critical,dn\-{authzid|whoami}\fP
 
 When the 
 .B override
@@ -381,6 +372,15 @@ in violation of RFC 4370.  Use of
 .B proxy\-authz\-critical
 is recommended.
 
+When the
+.B dn\-authzid
+flag is used, RFC 3829 LDAP Authorization Identity Controls
+is used to retrieve the identity associated to the SASL identity;
+when the
+.B dn\-whoami
+flag is used, RFC 4532 LDAP Who am I? Operation is performed
+after the bind for the same purpose.
+
 The TLS settings default to the same as the main slapd TLS settings,
 except for
 .B tls_reqcert
diff --git a/servers/slapd/back-ldap/config.c b/servers/slapd/back-ldap/config.c
index 48806df4c1..ca7c01df92 100644
--- a/servers/slapd/back-ldap/config.c
+++ b/servers/slapd/back-ldap/config.c
@@ -920,12 +920,8 @@ slap_idassert_parse( ConfigArgs *c, slap_idassert_t *si )
 		if ( BER_BVISNULL( &si->si_bc.sb_binddn ) &&
 			!(si->si_flags & LDAP_BACK_AUTH_DN_MASK) )
 		{
-			snprintf( c->cr_msg, sizeof( c->cr_msg ),
-				"\"%s <args>\": "
-				"SASL needs \"binddn\" or either \"dn-authzid\" or \"dn-whoami\" in flags",
-				c->argv[0] );
-			Debug( LDAP_DEBUG_ANY, "%s: %s.\n", c->log, c->cr_msg, 0 );
-			return 1;
+			static struct berval authid = BER_BVC("cn=auth");
+			ber_dupbv( &si->si_bc.sb_binddn, &authid );
 		}
 	}
 
@@ -1215,7 +1211,9 @@ ldap_back_cf_gen( ConfigArgs *c )
 					break;
 
 				default:
+#if 0 /* implicit */
 					ptr = lutil_strcopy( ptr, ",dn-none" );
+#endif
 					break;
 				}