Does saslauthd deference alias objects in LDAP? Should it?

Torsten Schlabach tschlabach at gmx.net
Fri Sep 22 16:26:10 EDT 2006


 > Already available:
 >
 > ldap_deref: search|find|always|never

Thanks. Should I have found that in any docu?

Interesting enough, I was guessing such a parameter, and had put in

ldap_deref: always

Interesting enough, "always" does not include "find".

If I use "always", I don't find my alias objects at all.

If I use "find", I can see in the LDAP log that the alias object is 
found, but a bind to it (using the userPassword of the aliased object) 
failes.

Any thoughts?

Regards,
Torsten


Igor Brezac schrieb:
> 
>>-----Original Message-----
>>From: cyrus-sasl-bounces at lists.andrew.cmu.edu [mailto:cyrus-sasl-
>>bounces at lists.andrew.cmu.edu] On Behalf Of Torsten Schlabach
>>Sent: Thursday, September 21, 2006 11:23 AM
>>To: cyrus-sasl at lists.andrew.cmu.edu
>>Subject: Does saslauthd deference alias objects in LDAP? Should it?
>>
>>Hi!
>>
>>I have a simple and quick question.
>>
>>In LDAP, I can set up alias objects. An alias object is an object
>>pointing to another object. An example:
>>
>>dn: uid=canonicalusername,ou=user,o=orphaned,o=myorg,o=world
>>objectClass: alias
>>objectClass: extensibleObject
>>aliasedObjectName: uid=xyz01606,ou=user,o=orphaned,o=myorg,o=world
>>uid: canonicalusername
>>
>>What I want to achieve is that
>>
>>testsaslauthd -u canonicalusername -p password
>>
>>will show "OK" with the userPassword attribute which is stored in the
>>referenced object, i.e. uid=xyz01606,ou=user,o=orphaned,o=myorg,o=world
>>in that case.
>>
>>I typical use for that would be to allow a user on a system with cryptic
>>IDs to use something easy to remember to sign in, for example his email
>>address. (Though this adds the extra issue that saslauthd splits anyting
>>that contains a '@' into username and realm.)
>>
>>I understand this would not take anything more than adding a parameter
>>to the LDAP query for the username which will tell the LDAP lib to
>>dereference aliases, pretty much like the -a option of ldapsearch. But
>>that option does not seem to exist in saslauthd.
>>
>>Would anyone support putting introducing such a an option?
> 
> 
> Already available: 
> 
> ldap_deref: search|find|always|never
> 
> -Igor


More information about the Cyrus-sasl mailing list