My config: OpenLDAP 2.2.15, compiled from source SASL/GSSAPI is functional My problem: I am looking to configure SyncRepl replication, using GSSAPI for authentication. In doing so, I have a couple (hopefully) quick SASL + ACL questions: 1) Do I have to map (sasl-regexp) my SASL DN (uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth in the "by" clause of an ACL? 2) In relation to #1, if I want to use a "by group=" clause as follows: by group="cn=DirectoryReplicators,ou=groups,dc=uconn,dc=edu" read can I simply add uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth as a member of DirectoryReaders, or do I have to map (sasl-regexp) to a local DN, and add that DN as a member? I do see many examples on the web where replication with GSSAPI authn is configured, using sasl-regexp to map the SASL DN to a local DN, but I would like to avoid the extra local DN and mapping if possible to reduce the (admittedly minor) complexity. Any insight is greatly appreciated! If any clarification is needed, please ask. -Matt -- Matthew J. Smith <matt.smith@uconn.edu> University of Connecticut ITS PGP Key: http://web.uconn.edu/dotmatt/matt.asc
Attachment:
signature.asc
Description: This is a digitally signed message part