[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL & ACLs

To: OpenLDAP software list <openldap-software@OpenLDAP.org>
Subject: Re: SASL & ACLs
From: Howard Chu <hyc@symas.com>
Date: Tue, 17 Aug 2004 10:59:36 -0700
Cc: matt.smith@uconn.edu
In-reply-to: <7C20A8E3698A13EC493F5CE7@cadabra.stanford.edu>
References: <1092758250.7829.56.camel@d80h243> <7C20A8E3698A13EC493F5CE7@cadabra.stanford.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a2) Gecko/20040714

Quanah Gibson-Mount wrote:

--On Tuesday, August 17, 2004 11:57 AM -0400 "Matthew J. Smith" <matt.smith@uconn.edu> wrote:

My config:
OpenLDAP 2.2.15, compiled from source
SASL/GSSAPI is functional

My problem:  I am looking to configure SyncRepl replication, using
GSSAPI for authentication.  In doing so, I have a couple (hopefully)
quick SASL + ACL questions:

1) Do I have to map (sasl-regexp) my SASL DN
(uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
in the "by" clause of an ACL?

You must map it.

No. It's recommended that all your SASL DNs be mapped to existing entries in your directory, but it's not required. The SASL DN is still a legal DN after all. If you understand what you're doing, go ahead and use it. --

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: SASL & ACLs
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>

References:
- SASL & ACLs
  - From: "Matthew J. Smith" <matt.smith@uconn.edu>
- Re: SASL & ACLs
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: SASL & ACLs
Next by Date: Re: SASL & ACLs
Index(es):
- Chronological
- Thread