[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl UID mapping





--On Sunday, January 18, 2004 3:51 AM +0000 Paul Jakma <paul@clubi.ie> wrote:

Paul,

I'm going to give you a helping hand. :)

We use GSSAPI to auth to our servers.

Here is our SASL regexp:

sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth ldaps:///cn=People,dc=stanford,dc=edu??sub?krb5PrincipalName=$1@$2

Here's the beginning of our ACL file that allows this to happen without given read access:

# $Id: slapd.acl,v 1.124 2003/12/18 03:16:42 quanah Exp $
# ACL include file for slapd
#

access to dn.base=""
       by * read

access to dn.base="cn=monitor"
       by * read

access to *
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read
by * break


access to attrs=krb5PrincipalName,member,suseasstatus
       by anonymous compare
       by * break

access to attrs=entry
       by * read

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html