Pierangelo Masarati wrote: > Simon Gao wrote: > > >> I am making some progress on this. Following example test014, I am able >> to get sasl bind working. >> >> I still have two questions. >> >> 1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode >> on each individual line, then sasl binding does not work. They all must >> be on the same one line. Any reason why multiple line works for simple >> bind, but not for sasl binding? The inconsistency will cause more >> efforts in troubleshooting. >> > > This should not be true. I suspect you're doing something weird with > leading blanks in continuation lines, since the configuration parser > sees each statement as a single line anyway, after gluing multiple lines > by replacing continuation indentation with a single blank. If you > intend to submit an example of your configuration, please attach it to > the message (if small) or make it available for public download. > Cut'n'paste could mess up critical portions of the message, like lining > and whitespace. > >
This was indeed extra space problem. After removing extra space, it works fine. >> 2)Is it possible to add authzTo/authzFrom at >> "ou=people,dc=example,dc=com" level and all the child entry be proxy >> authenticated? >> > > I'm not aware of any feature like that. In any case, it should be of > very limited help in chaining, since the rationale behind chaining is > that users that cannot autonomously authenticate on a remote DSA get > authorized by some special identity that has authorization privileges. > SO all you need is authzTo in the special identity's entry, while in > general the identity that's being authorized does not necessarily reside > in the DSA. > authzTo worked fine with an proxy entry. Thanks. Simon
