[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Anonymously binding despite '-U ....' to ldapsearch



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson

> Is there any (easy) way to have multiple realms in the same database
> (don't want different ports and such)?

Sure. The Heimdal database can record principals from any number of realms.
In Kerberos 5 the realm name the client wants is part of the authentication
handshake, so the KDC can distinguish them easily enough. (Kerberos 4 would
be a problem.)
>
>     Howard> With only a single Kerberos realm, you can do
>
>     Howard> sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
>     Howard> ldap:///dc=com??sub?(uid=$1)
>
> But that REQUIRE that the user exists (?). Maybe is a good thing, but
> my first attempt (directly mapping to where I'm located in the tree)
> works even if I don't have a object...

Yes. It also actually executes a search, which may be slow, while the direct
mapping is fast. Of course, if you have uid indexed, and you only expect
about 100-500 users anyway, I'm sure it will be fast enough either way.
>
> Oki, that regexp works fine. Thanx... Now all I have to do is really
> stresstest it more, and maybe I can replace my OpenLDAP 2.0 production
> servers eventually :)

The 2.1 servers stand up to quite a lot more load than the 2.0 servers...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support