[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question on GSSAPI-authentication



Hi everybody,

i have question on the GSSAPI-implementation
in v2.1.x (or maybe in how SASL/GSSAPI works).

Suppose i have the following access-rule 

---snipp---
access to attr=uid
   by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" read
   by self write
   by * read
---snipp---

and the saslregexp :

---snipp---
saslRegexp
  uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
  uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de
---snipp---

Now, what happens when ldapreplicator,
who is ldapreplicator@HRNET.DE wants to authenticate ?

Is it :

  ldapreplicator@HRNET.DE
translated to
  uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth
and then (via saslRegexp) translated to
  uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de

So ldapreplicator must be an entry in the
directory ?
Which objecttclass doe he have ?

Or is there no need for a directory entry ?
What about the password ?

greets 
Harry

PS.: My questions maybe seems to be foolish,
     but i have a serious problem in understanding how
     authentication via GSSAPI really works.