[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Changes 2.0.x -> 2.1.x



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter

> Hi List,
>
> i'm trying to find out,
> if i can migrate my 2.0.25-server to the
> new version 2.1.2.
>
> I now want to use the SASL-enhancements in 2.1.2.
>
> First, my environment :
>
> Suse LINUX 7.1, Kernel 2.4.18
> MIT Kerberos 1.2.5
> CYRUS SASL 1.5.27

Cyrus SASL 1.5.27 is very buggy. GSSAPI support is not usable without
patches.
I sent the patches to the Cyrus folks but there will not be any more 1.5
releases
so those patches will likely never see the light of day.
>
> I noticed some differences.
>
> In 2.0.25 i use the following entry in slapd.conf:
>
> updatedn   "uid=ldapreplicator\+realm=HRNET.DE"
>
> Now, 2.1.2 doesn't like this anymore and shows an
> errormessage : "line 49: updatedn DN is invalid"
>
> So i tried out the following :
>
> updatedn
> "uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"
>
> Is this the correct, does it mean the same ?

Yes, that looks correct.
>
> By the way, the documentation  doesn't tell to much about
> this kind of "authentication"-syntax.
>
> Would the keywords "SASL" , "KERBEROS_V4 and KERBEROS_V5 be
> correct instead of "GSSAPI" ?

No. SASL can only use Kerberos 5 thru GSSAPI. "SASL" is not a
SASL mechanism name. "KERBEROS_V4" is the correct mechanism name for Kerberos
4.
>
> In the access-statements i use the following synthax
> in 2.0.25 :
>
> access to attr=uid
>    by dn="uid=ldapreplicator.\+realm=HRNET.DE" write
>    by dn="uid=admin,dc=hrnet,dc=de" read
>    by anonymous search
>    by * none
>
> Is this okay, or have i to use another synthax
> (because the updatedn-synthax changed) ?

The SASL Authentication DN syntax has changed. Anywhere you would specify the
DN
of a SASL ID is affected by this change - updatedn, rootdn, DNs in ACLs,
etc...
>
> I think of another way :
>
> ldapreplicator@HRNET.DE exists as principal in
> KERBEROS-V.
>
> Now, let's say "ldapreplicator" would be in the "dit" as
> "uid=ldapreplicator,cn=hrnet,cn=de".
>
> If i would try to authenticate via KERBEROS i could use
> the new saslRegexp this way :
>
> saslRegexp
>   uid=ldapreplicator,cn=hrnet.de,cn=KERBEROS_V5,cn=auth
>   uid=ldapreplicator,cn=hrnet,cn=de

no. "KERBEROS_V5" is not a valid SASL mechanism name. use "GSSAPI"

> If i'd like to authenticate via SASL i would
> change "cn=KERBEROS_V5" to "cn=SASL" ?

no. "SASL" is not a valid SASL mechanism name.
>
> Generally, is there more documentation about
> SASL,GSSAPI etc as in chapter 9 of the
> "Administrator's guide ..." and if where can i find it ?

There are new updates to the Administrator's guide that will be released
soon.
I believe 2.1.3 will be released soon and the Admin Guide updates will be
available then, with documentation for all of these features.
>
>
> greets to the list
>
> Harry

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support