[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Anonymously binding despite '-U ....' to ldapsearch
>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
Howard> I suppose it would be too obvious to presume that your
Howard> users in different parts of your tree are also using
Howard> different Kerberos realms.
You wish! :) I've thought about it, but multiple realms on the same
host sounded to complex for 100 users (system will NEVER be bigger
than perhaps 500 users)...
Howard> If they aren't in unique realms, you have a problem,
Howard> because you would be mapping names from a single Kerberos
Howard> namespace into multiple LDAP namespaces, and you have no
Howard> way to resolve the conflict if the same uid appears in
Howard> multiple LDAP DNs.
Hmm... That's a problem I've been thinking about for a while now.
I have three 'Peter <something>' on the system, and they all like
to have 'peter' as login, but "naturaly" only one can (my brother :).
Is there any (easy) way to have multiple realms in the same database
(don't want different ports and such)?
Howard> With only a single Kerberos realm, you can do
Howard> sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
Howard> ldap:///dc=com??sub?(uid=$1)
But that REQUIRE that the user exists (?). Maybe is a good thing, but
my first attempt (directly mapping to where I'm located in the tree)
works even if I don't have a object...
Oki, that regexp works fine. Thanx... Now all I have to do is really
stresstest it more, and maybe I can replace my OpenLDAP 2.0 production
servers eventually :)
--
Qaddafi Ortega DES explosion domestic disruption Soviet Cuba
fissionable tritium cracking Saddam Hussein Rule Psix class struggle
genetic North Korea
[See http://www.aclu.org/echelonwatch/index.html for more about this]