* Howard Chu (hyc@highlandsun.com) wrote: > I suppose it would be too obvious to presume that your users in different > parts of your tree are also using different Kerberos realms. If they do have > different realms, then the solution is trivial: I brought up that question two days ago also, though my post to the list didn't appear to go out until today. It would seem there is some problem with this mailing list. Do you know if it's being worked on? Back to the original question though: It would be very nice to have some mechanism for non-trivial SASL DN to LDAP DN mappings. > and hope no conflicts occur... Obviously the correct thing to do is to make > enforce a 1-to-1 mapping of LDAP DNs to Kerberos principals. I contend that while doing this will work around the issue at hand it is not necessairly the 'correct' thing to do. OpenLDAP lacks a method for performing a non-trivial mapping from SASL DN to LDAP DN. Having such an addition would be useful and would allow much greater flexability for organizations. Stephen
Attachment:
pgp5T8tGJgnPI.pgp
Description: PGP signature