[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL & ACLs



My config:
OpenLDAP 2.2.15, compiled from source
SASL/GSSAPI is functional

My problem:  I am looking to configure SyncRepl replication, using
GSSAPI for authentication.  In doing so, I have a couple (hopefully)
quick SASL + ACL questions:

1) Do I have to map (sasl-regexp) my SASL DN
(uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
in the "by" clause of an ACL?

2)  In relation to #1, if I want to use a "by group=" clause as follows:

by group="cn=DirectoryReplicators,ou=groups,dc=uconn,dc=edu" read

can I simply add
uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth as a member
of DirectoryReaders, or do I have to map (sasl-regexp) to a local DN,
and add that DN as a member?

I do see many examples on the web where replication with GSSAPI authn is
configured, using sasl-regexp to map the SASL DN to a local DN, but I
would like to avoid the extra local DN and mapping if possible to reduce
the (admittedly minor) complexity.

Any insight is greatly appreciated!  If any clarification is needed,
please ask.
-Matt

-- 
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part