[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL & ACLs



On Tue, 2004-08-17 at 13:59, Howard Chu wrote:
> Quanah Gibson-Mount wrote:
> 
> > --On Tuesday, August 17, 2004 11:57 AM -0400 "Matthew J. Smith" 
> > <matt.smith@uconn.edu> wrote:
> >
> >> My config:
> >> OpenLDAP 2.2.15, compiled from source
> >> SASL/GSSAPI is functional
> >>
> >> My problem:  I am looking to configure SyncRepl replication, using
> >> GSSAPI for authentication.  In doing so, I have a couple (hopefully)
> >> quick SASL + ACL questions:
> >>
> >> 1) Do I have to map (sasl-regexp) my SASL DN
> >> (uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
> >> DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
> >> simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
> >> in the "by" clause of an ACL?
> >
> >
> > You must map it.
> 
> No. It's recommended that all your SASL DNs be mapped to existing 
> entries in your directory, but it's not required. The SASL DN is still a 
> legal DN after all. If you understand what you're doing, go ahead and 
> use it.
Thank you both for your answers so far -- I have found posts by you two
dating back to ~2000 very helpful.

So, to follow up -- assuming I do not want to map the DN if it is
possible.  Will a group acl (by group="...") referencing a group
containg the unmapped SASL DN as a member be properly resolved and
applied, or does the mapping need to be done for this resolution to
properly occur?

I appreciate the help,
-Matt
-- 
Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part