-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FM wrote:
| server openldap 2.2.17, with sasl auth (krb5)
|
| access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
| attrs=posixAccount
| by anonymous auth
| by users read
| by self read
|
| The prob is that if I use id user1 for examples, the BIND="" unless I
| harcode it on in ldap.conf.
|
| How can I secure those info ?
|
| Is there a way to pass the current DN on the user ?
|
| thanks !
What does ldapwhoami say?
I'm not totally clear about what you are trying but note that if using
SASL-GSSAPI you need a rule to transform your SASL binddn to a regular
dn first. This is usually accomplished by a sasl-regexp directive in
slapd.conf like so:
sasl-regexp
uid=([^,]+),cn=([^,]*),cn=gssapi,cn=auth uid=$1,ou=$2,dc=f,dc=b
The first expression is supposed to catch your PrincipalName, the second
the realm (the realm might not be sent by your client if it's the
default realm and thus the first cn= statement is missing in which case
the above regexp will fail).
posixAccount is an objectClass if I recall correctly it can be
referenced attrs=@posixAccount haven't tested this though.
hth
~ Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBtxOVZMF3PJg2BX4RAlVhAJ0W+dSR2s2DP2nEm+R65A/AqsFBewCaAoL2
zl4WRrUN0ytH7X2VObBBWoA=
=EAt6
-----END PGP SIGNATURE-----