Re: krb5PrincipalName and userPassword

[Howard Chu <hyc@symas.com>]

Turbo Fredriksson wrote:
> > > > > > "Buchan" == Buchan Milne <bgmilne@staff.telkomsa.net> writes:
>
>     Buchan> As such, the LDAP server wasn't even consulted about
>     Buchan> whether it knows anything about your account, only that it
>     Buchan> should map your SASL identity to a DN (that need not exist
>     Buchan> in the directory).
>
> So what's the point of having {SASL} in the userPassword then?

No one ever said there was any point to it. Why are you using it if you don't 
understand what it's for?

> And if it wasn't the sasl regexp, shouldn't my auth req DN be:

>     uid=turbo,cn=REALM,cn=sasl,cn=auth
>
> And that DN don't have any special access, so how come I got
> full access to the object(s), and not the anonymous read access
> that I expected?

> 'only that it should map your SASL identity to a DN'... That's
> translated into a 'correct' DN by the sasl regexp - which worked... ?

From the sound of it, yes, the SASL regexp worked as it should.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/