On Tue, 2004-08-17 at 13:59, Howard Chu wrote: > Quanah Gibson-Mount wrote: > > > --On Tuesday, August 17, 2004 11:57 AM -0400 "Matthew J. Smith" > > <matt.smith@uconn.edu> wrote: > > > >> My config: > >> OpenLDAP 2.2.15, compiled from source > >> SASL/GSSAPI is functional > >> > >> My problem: I am looking to configure SyncRepl replication, using > >> GSSAPI for authentication. In doing so, I have a couple (hopefully) > >> quick SASL + ACL questions: > >> > >> 1) Do I have to map (sasl-regexp) my SASL DN > >> (uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local > >> DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I > >> simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth > >> in the "by" clause of an ACL? > > > > > > You must map it. > > No. It's recommended that all your SASL DNs be mapped to existing > entries in your directory, but it's not required. The SASL DN is still a > legal DN after all. If you understand what you're doing, go ahead and > use it. Thank you both for your answers so far -- I have found posts by you two dating back to ~2000 very helpful. So, to follow up -- assuming I do not want to map the DN if it is possible. Will a group acl (by group="...") referencing a group containg the unmapped SASL DN as a member be properly resolved and applied, or does the mapping need to be done for this resolution to properly occur? I appreciate the help, -Matt -- Matthew J. Smith <matt.smith@uconn.edu> University of Connecticut ITS PGP Key: http://web.uconn.edu/dotmatt/matt.asc
Attachment:
signature.asc
Description: This is a digitally signed message part