[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Changes 2.0.x -> 2.1.x
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> Hi List,
>
> i'm trying to find out,
> if i can migrate my 2.0.25-server to the
> new version 2.1.2.
>
> I now want to use the SASL-enhancements in 2.1.2.
>
> First, my environment :
>
> Suse LINUX 7.1, Kernel 2.4.18
> MIT Kerberos 1.2.5
> CYRUS SASL 1.5.27
Cyrus SASL 1.5.27 is very buggy. GSSAPI support is not usable without
patches.
I sent the patches to the Cyrus folks but there will not be any more 1.5
releases
so those patches will likely never see the light of day.
>
> I noticed some differences.
>
> In 2.0.25 i use the following entry in slapd.conf:
>
> updatedn "uid=ldapreplicator\+realm=HRNET.DE"
>
> Now, 2.1.2 doesn't like this anymore and shows an
> errormessage : "line 49: updatedn DN is invalid"
>
> So i tried out the following :
>
> updatedn
> "uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"
>
> Is this the correct, does it mean the same ?
Yes, that looks correct.
>
> By the way, the documentation doesn't tell to much about
> this kind of "authentication"-syntax.
>
> Would the keywords "SASL" , "KERBEROS_V4 and KERBEROS_V5 be
> correct instead of "GSSAPI" ?
No. SASL can only use Kerberos 5 thru GSSAPI. "SASL" is not a
SASL mechanism name. "KERBEROS_V4" is the correct mechanism name for Kerberos
4.
>
> In the access-statements i use the following synthax
> in 2.0.25 :
>
> access to attr=uid
> by dn="uid=ldapreplicator.\+realm=HRNET.DE" write
> by dn="uid=admin,dc=hrnet,dc=de" read
> by anonymous search
> by * none
>
> Is this okay, or have i to use another synthax
> (because the updatedn-synthax changed) ?
The SASL Authentication DN syntax has changed. Anywhere you would specify the
DN
of a SASL ID is affected by this change - updatedn, rootdn, DNs in ACLs,
etc...
>
> I think of another way :
>
> ldapreplicator@HRNET.DE exists as principal in
> KERBEROS-V.
>
> Now, let's say "ldapreplicator" would be in the "dit" as
> "uid=ldapreplicator,cn=hrnet,cn=de".
>
> If i would try to authenticate via KERBEROS i could use
> the new saslRegexp this way :
>
> saslRegexp
> uid=ldapreplicator,cn=hrnet.de,cn=KERBEROS_V5,cn=auth
> uid=ldapreplicator,cn=hrnet,cn=de
no. "KERBEROS_V5" is not a valid SASL mechanism name. use "GSSAPI"
> If i'd like to authenticate via SASL i would
> change "cn=KERBEROS_V5" to "cn=SASL" ?
no. "SASL" is not a valid SASL mechanism name.
>
> Generally, is there more documentation about
> SASL,GSSAPI etc as in chapter 9 of the
> "Administrator's guide ..." and if where can i find it ?
There are new updates to the Administrator's guide that will be released
soon.
I believe 2.1.3 will be released soon and the Admin Guide updates will be
available then, with documentation for all of these features.
>
>
> greets to the list
>
> Harry
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support