Lisa Lutz <[EMAIL PROTECTED]> writes:
> How are you going to handle multiple OUs? In the case where a
> certificate contains 4 multiple OUs but a user DN only contains one of
> those 4?
Hmmm... good question. How should we handle something like that? I
suppose some logic could be put in there to convert multiple matches into
an 'or' match, so you could end up with something like:
(&(|(ou=abc)(ou=def)(ou=ghi))([EMAIL PROTECTED]))
I imagine the typical usage will be to map just the UID or email, since
those are the 'most unique' things typically.
Any suggestions always welcome. I think I've got the code about cleaned up
for distribution. Just had to ifdef a few things that will be useless in
things like apache or non-threaded applications.
I've got to double check with my VP of engineering about releasing some
other utility routines we use with the netscape SDK to make it thread-safe
on pthreads, solaris threads (thr_XXX) and win32. If he gives me the ok,
then I'll leave the thread-safety stuff in there.
I'm still wondering what the best way to distribute this chunk of code is.
It sounds like a few people need this functionality outside of Apache and
friends.
Should this just be distributed as a separate library, and mod_ssl can test
for the availability of it at configure time? Any ideas from the peanut
gallery? The cert checking code itself is only ~800 lines of code, the
other relevant parts of the ldap utility routines are only about another
350 or so. Not a lot of code for a standalone library.
-bp
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
