when comparing IDs to saslAuthzTo/From values, the saslAuthzTo
saslAuthzFrom values can take different forms:
dn[.<style>]:<pattern>
<style> ::= exact ; exact match
children ; children of <pattern> match
subtree ; <pattern> or children of <pattern> match
regex ; <pattern> is regcomp() & regexec()
if no <style>, then exact is assumed
u[.<mech>][/<realm>]:<user>
when parsing a proxyAuthz value, only exact DN is allowed,
and no <mech> can be specified. <user> cannot contain ':'
and <mech> cannot contain '/'.
new slapadd options
-p : promote : If the ldif file contains syncConsumerSubentries, convert
them to a single syncProviderSubentry. Its contextCSN
attribute has the largest value of the syncreplCookie
attributes of the syncConsumerSubentries.
syncProviderSubentry in the ldif file is retained.
-p -w : promote : Recalculate contextCSN based on entryCSN of each entry.
create Existing syncConsumerSubentries and syncProviderSubentry
are ignored and not added to the directory.
-r : demote : If the ldif file contains syncProviderSubentry, convert it
to a syncConsumerSubentry having the default syncrepl id
of 0. syncConsumerSubentries in the ldif file are retained.
-r -w : demote : Recalculate syncreplCookie based on entryCSN of each entry.
create Existing syncConsumerSubentries and syncProviderSubentry
are ignored and not added to the directory. The default
syncrepl id of 0 will be used for the new
syncConsumerSubentry.
-r -w -i %d[,%d]* : Using the comma separated list followed by the -i option,
it is possible to create multiple syncConsumerSubentries
having the syncrepl ids specified in the list.
syncreplCookie values of these sycnConsumerSubentries
will have the same value, either from the maximum
entryCSN value or from the contextCSN value of the
syncProviderSubentry.
- currenty works for refreshOnly mode of LDAP Sync
- Context CSN for add / modify is implemented
- code for delete / modrdn / refreshAndPersist will be soon committed
consolidated into the Operation structure. All reply parameters
are consolidated into the new SlapReply structure. Most operations
now have identical call signatures... Changes are not #ifdef'd,
revert to -r NO_SLAP_OP_BLOCKS if necessary to back out.
Added sasl-authz-policy config keyword to control proxy authorization.
Moved sasl-related config processing to sasl.c:slap_sasl_config().
Moved other global defs used only in saslauthz.c into saslauthz.c.
