Would there be any problem releasing this code under whatever
open-source license OpenLDAP is using - Supposing I did write something
and submit it back to project?
On 2/08/2023 12:34 am, David Hawes wrote:
On Tue, 1 Aug 2023 at 04:35, Ondřej Kuzník <[email protected]> wrote:
On Tue, Aug 01, 2023 at 09:09:43AM +1000, Sean Gallagher wrote:
3) Finally, if the system admin wants to use the TLS layer authentication
state to subtly modify access rights, that is also allowed by the RFCs, BUT
NOT BY SLAPD.
I find slapd's incapacity in the third case to be a bizarre inconsistency.
The ACL subsystem is extensible well beyond this and I find it bizarre that
you keep ignoring that.
I created a dynacl a while back that does what I think Sean is looking
for: use the SASL_AUTH_EXTERNAL property to allow auth access to
userPassword. My original use case was to get rid of an IP whitelist
and instead use TLS client auth to control what clients can perform a
simple bind, but it can be used for pretty much any access you'd like.
I've attached a simplified version of that dynacl that does away with
instance-specific checks.
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
