[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL & ACLs





--On Tuesday, August 17, 2004 2:46 PM -0400 "Matthew J. Smith" <matt.smith@uconn.edu> wrote:

No. It's recommended that all your SASL DNs be mapped to existing
entries in your directory, but it's not required. The SASL DN is still a
legal DN after all. If you understand what you're doing, go ahead and
use it.
Thank you both for your answers so far -- I have found posts by you two
dating back to ~2000 very helpful.

So, to follow up -- assuming I do not want to map the DN if it is
possible.  Will a group acl (by group="...") referencing a group
containg the unmapped SASL DN as a member be properly resolved and
applied, or does the mapping need to be done for this resolution to
properly occur?

Hm, well, I've never tested that, but since it is a valid DN, and the group membership for a static group is by DN, I'd assume it would work.


This gets off into an interesting side-bar on group memberships in general though, if one ponders things like automatic addition of "memberOf" attributes to DN's when they are added to groups -- What do you do if the DN doesn't exist in the DB as an entry, because it is being done in this method.

In my dev environment, I do use a group for syncRepl, but the DN's also exist in the DB in my case. My intention was to use this as a way of keeping my environments from accidentally talking to the wrong master if they got configured wrong.

--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITSS/Shared Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html