[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Best objectClass for an LDAP server?
- To: openldap-technical@openldap.org
- Subject: Best objectClass for an LDAP server?
- From: Jaap Winius <jwinius@umrk.nl>
- Date: Tue, 19 Jan 2010 18:32:28 +0100
- Content-disposition: inline
- User-agent: Internet Messaging Program (IMP) H3 (4.1.5)
Hi folks,
Busy again with the configuration of my OpenLDAP 2.4.11 test system,
which includes Kerberos, SASL and GSSAPI, I now not only have
replication working with Kerberos authentication and encryption), but
also SASL proxy authorization, which makes chaining possible (chasing
referrals on behalf of clients).
For proxy authorization to work, I first had to create an LDAP object
to represent the DN that the consumer server was authenticating with
-- after the name of its Kerberos principal. Here it is in
GSSAPI-format:
uid=ldap/ldapks2.example.com,cn=gssapi,cn=auth
Not wanting to use the person objectClass for this purpose, I used
this instead:
dn: cn=ldap/ldapks2.example.com,ou=consumers,dc=example,dc=com
cn: ldap/ldapks2.example.com
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: LDAP server2 replicator
saslAuthzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$
userPassword: {CRYPT}*
Does this look like the best solution? It does force me to include a
userPassword attribute, for which I use an invalid hash, but otherwise
there are no other unnecessary attributes. Still, I wonder if I could
do better.
Any opinions?
Thanks,
Jaap