At 07:52 AM 1/20/2004, Chris Ridd wrote:
>I note that when using SASL, Net::LDAP's bind method automatically sets the
>user field to something:
>
> my $sasl = $passwd;
> # Tell the SASL object our user identifier
> $sasl->callback( user => "dn: $stash{name}")
> unless $sasl->callback('user');
>
>We're using SASL EXTERNAL. With this mechanism the authentication id comes
>from the client's cert, and the optional sasl->credentials field contains
>the authorization id. I'm not sure where all this is defined :-)
>
>Because Net::LDAP's setting the authz id to something ("dn: "), this causes
>a bind failure. (The user isn't allowed to authorize as someone else.)
>
>Setting the sasl->credentials seems wrong to me in this case. What do other
>people think who are using EXTERNAL? Is the best place to fix this (if it is
>a bug) in EXTERNAL.pm?
My thoughts on this are:
Unless the user wishes to assume the identity of another
user, no authzid should be specified. The server will do
the right thing.
It would be incorrect for the client itself to attempt to
derive an authzid from what it thinks the authcid is because
1) it may not know the precise authcid used by the server
(EXTERNAL is not necessarily tied to TLS, could be tied to
something else.) and 2) the client reliably mimic the
server's authcid->authzid mapping behavior without a priori
knowledge. That is, whatever the client does on its own
will likely be the wrong thing.
BTW, there should space after "dn:". See RFC 2829.
Kurt
