[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: --with-spasswd, SASL/GSSAPI authentication
Is there a way to prevent OpenLDAP 2.0.7 and SASL from opening (or
attempting to open) /etc/sasldb? I've gotten the implication somehow or
another that I can specify that LDAP is FORCED to use a certain
pwcheck_method (GSSAPI in my case), by creating a file
/usr/lib/sasl/slapd.conf file with that option ("pwcheck_method:
gssapi"). Is that correct?
"Kurt D. Zeilenga" wrote:
>
> At 09:52 AM 1/10/01 -0800, Tomas Maly wrote:
> >What is the "--with-spasswd" configure option for?
>
> This option enables the {SASL} userPassword scheme which
> allows LDAP "simple" bind to verify using the Cyrus SASL
> library (which in turn might use SASLdb, Kerberos, pwcheckd).
>
> It's primarily meant to be used where you want to use SASLdb
> but have LDAP clients which only support "simple" bind.
>
> >How is the feature it
> >includes configured and implemented?
>
> You add:
> userPassword: {SASL}username
>
> (where username is the SASL user name) to the entry being bound to.
>
> >Also, if I use SASL/GSSAPI for my authentication (ldapadd -Y GSSAPI),
> >then what, by default, is my dn going to be (the dn it uses to determine
> >who I am and what access rights I have on certain attributes/entries)?
>
> In 2.0, the subject dn should be:
> uid=principal
>
> You can check the logs to see what the generated authzdn is.
> Depending on your configuration, the principal may or may
> not include your Kerberos realm.
>
> >Does SLAPD do a search for my principal (minus the realm) as a "uid"
> >attribute, and then return the respective dn that the uid is under?
>
> No. The authzdn are not mapped (yet).
>
> One generally uses regexes to grant permissions,
>
> >Let's say my Krb5 principal is "tomas@MVISTA.COM", would it then look
> >for my dn using "uid=tomas" as the criteria, and then return let's say
> >"dn:uid=tomas,ou=People,dc=mvista,dc=com" as my dn assuming that dn has
> >uid set to "tomas"?
>
> access to dn="uid=([^,]+),ou=People,dc=mvista,dc=com"
> by dn="uid=$1(@MVISTA.COM)?" write
--
Tomas Maly
"IT Freak"
MontaVista Software
(408) 328-8429
tmaly@mvista.com