Re: slurpd question with GSSAPI

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, August 26, 2004 4:04 PM +0000 "Derek T. Yarnell" 
<derek@cs.umd.edu> wrote:

> uid=host/torch.cs.umd.edu@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
>
> Which by my sasl-regex rules will always get talking to the CS
>
> sasl-regexp     uid=(.*),cn=CS.UMD.EDU,cn=GSSAPI,cn=auth
>                 ldap:///dc=cs,dc=umd,dc=edu??sub?uid=$1
> sasl-regexp     uid=(.*),cn=CSIC.UMD.EDU,cn=GSSAPI,cn=auth
>                 ldap:///dc=csic,dc=umd,dc=edu??sub?uid=$1
>
> So am I doomed to have to run 2 of them? If so how can I get around the
> problem with the REALMS not having an effect on the sasl-regexp. Also i
> am runing 2.2.15 should I be really looking at doing syncrepl? Is there
> a good example for syncrepl, that is what the docs are missing on the
> site.

I'd suggest fixing your regexp to take the realm into effect.  You can make 
the uid= bit do stuff based on realm.

sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth 
ldaps:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/$1@stanford.edu

vs

sasl-regexp uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth 
ldaps:///cn=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/cgi@stanford.edu


for example.

So you could have something like

uid=(.*)@CSIC.UMD.EDU,cn=CS.UMD.EDU,cn=GSSAPI,cn=auth ..........





--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html