[Date Prev][Date Next] [Chronological] [Thread] [Top]

Changes 2.0.x -> 2.1.x



Hi List,

i'm trying to find out,
if i can migrate my 2.0.25-server to the 
new version 2.1.2.

I now want to use the SASL-enhancements in 2.1.2.

First, my environment :

Suse LINUX 7.1, Kernel 2.4.18
MIT Kerberos 1.2.5
CYRUS SASL 1.5.27


I noticed some differences.

In 2.0.25 i use the following entry in slapd.conf: 

updatedn   "uid=ldapreplicator\+realm=HRNET.DE"

Now, 2.1.2 doesn't like this anymore and shows an
errormessage : "line 49: updatedn DN is invalid"

So i tried out the following :

updatedn  
"uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"

Is this the correct, does it mean the same ?

By the way, the documentation  doesn't tell to much about 
this kind of "authentication"-syntax.

Would the keywords "SASL" , "KERBEROS_V4 and KERBEROS_V5 be
correct instead of "GSSAPI" ?

In the access-statements i use the following synthax 
in 2.0.25 :

access to attr=uid
   by dn="uid=ldapreplicator.\+realm=HRNET.DE" write
   by dn="uid=admin,dc=hrnet,dc=de" read
   by anonymous search
   by * none
 
Is this okay, or have i to use another synthax 
(because the updatedn-synthax changed) ?


I think of another way :

ldapreplicator@HRNET.DE exists as principal in
KERBEROS-V.

Now, let's say "ldapreplicator" would be in the "dit" as
"uid=ldapreplicator,cn=hrnet,cn=de".

If i would try to authenticate via KERBEROS i could use 
the new saslRegexp this way :

saslRegexp
  uid=ldapreplicator,cn=hrnet.de,cn=KERBEROS_V5,cn=auth
  uid=ldapreplicator,cn=hrnet,cn=de

If i'd like to authenticate via SASL i would
change "cn=KERBEROS_V5" to "cn=SASL" ?


Generally, is there more documentation about
SASL,GSSAPI etc as in chapter 9 of the 
"Administrator's guide ..." and if where can i find it ?


greets to the list

Harry