[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anonymously binding despite '-U ....' to ldapsearch



* Howard Chu (hyc@highlandsun.com) wrote:
> I suppose it would be too obvious to presume that your users in different
> parts of your tree are also using different Kerberos realms. If they do have
> different realms, then the solution is trivial:

I brought up that question two days ago also, though my post to the list
didn't appear to go out until today.  It would seem there is some
problem with this mailing list.  Do you know if it's being worked on?

Back to the original question though: It would be very nice to have some
mechanism for non-trivial SASL DN to LDAP DN mappings.

> and hope no conflicts occur... Obviously the correct thing to do is to make
> enforce a 1-to-1 mapping of LDAP DNs to Kerberos principals.

I contend that while doing this will work around the issue at hand it is
not necessairly the 'correct' thing to do.  OpenLDAP lacks a method for
performing a non-trivial mapping from SASL DN to LDAP DN.  Having such
an addition would be useful and would allow much greater flexability for
organizations.

	Stephen

Attachment: pgp5T8tGJgnPI.pgp
Description: PGP signature