Re: ACL/ACI && SASL

[Simon Wilkinson <simon@sxw.org.uk>]

Turbo Fredriksson wrote:
> > > > > > "Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:
>             We use
>     Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName
>     Quanah> to do the mappings you are talking about, which indeed
>     Quanah> allows us to have more flexible ACL's.
>
> Could you give me some ACL/ACI examples on how you have set it up?

We do exactly the same. You need to use a saslregexp to translate the 
Kerberos SASL identity into an LDAP username - we use:

saslRegexp uid=(.*),cn=(.*),cn=GSSAPI,cn=auth \
    ldap:///dc=inf,dc=ed,dc=ac,dc=uk??sub?krbName=$1@$2

(We're storing a user's Kerberos principal in the krbName attribute)

>     Quanah> I will note that for the servers, you will want to compile
>     Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
>     Quanah> using threads, as your servers will not be stable
>     Quanah> otherwise. ;) For clients, it doesn't really matter too
>     Quanah> much.

We've patched Cyrus SASL 1.x locally to add support for a mutex around 
GSSAPI operations. Providing that _every_ GSSAPI operation is mutex 
protected, slapd seems to run fine with MIT Kerberos. I'm happy to make 
the patch available to anyone who's interested.


Cheers,

Simon.