[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL & ACLs



Quanah Gibson-Mount wrote:

--On Tuesday, August 17, 2004 11:57 AM -0400 "Matthew J. Smith" <matt.smith@uconn.edu> wrote:

My config:
OpenLDAP 2.2.15, compiled from source
SASL/GSSAPI is functional

My problem:  I am looking to configure SyncRepl replication, using
GSSAPI for authentication.  In doing so, I have a couple (hopefully)
quick SASL + ACL questions:

1) Do I have to map (sasl-regexp) my SASL DN
(uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
in the "by" clause of an ACL?


You must map it.

No. It's recommended that all your SASL DNs be mapped to existing entries in your directory, but it's not required. The SASL DN is still a legal DN after all. If you understand what you're doing, go ahead and use it.
--


 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support