RFC auxprop enhancement

Pierangelo Masarati ando at sys-net.it
Thu Dec 29 06:31:52 EST 2005


Howard, Alexey,

according to <http://www.openldap.org/lists/ietf-
ldapext/200512/msg00001.html> and to other privately collected opinions,
it appears that there are little chances to have <draft-behera-ldap-
password-policy> include a generic mechanism for interoperation between
the DSA and the authentication application, in this case Cyrus SASL.

However nothing is lost: with the modifications to the auxprop lookup
API you mentioned, we could still obtain the desired behavior with the
auxprop builtin in slapd, and we could implement <draft-behera-ldap-
password-policy> by exploiting the manageDIT control to manipulate the
NO-USER-MODIFICATION auth info.  Too bad this will be OpenLDAP specific
only, unless the manageDIT control gets coded into an I.D. and takes
momentum.

So my previous planning would now turn into:

- modify the auxprop API (Cyrus SASL) to return an error value and allow
an optional auxprop_done() call;

- line-up the existing auxprop to the new API (not strictly related to
this issue);

- modify slapd's auxprop to deal with ppolicy handling (not guaranteed
to be straightforward, since two separate modules need to cooperate;
SASL is hardcoded, so this might be a good time to factor it out, in
case we need two different implementations for original/ppolicy
versions; this might be better discussed on openldap-devel);

- modify slapd's ppolicy overlay to allow modification of auth info
restricted by manageDIT (better discussed on openldap-devel as well; it
may require deferring operational attrs modification checking to allow
overlays to step in);

- modify Cyrus' ldapdb to implement draft-behera by way of manageDIT
(should be straightforward, although it's going to be a duplication of
slapd's ppolicy overlay).

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati at sys-net.it
------------------------------------------



More information about the Cyrus-sasl mailing list