[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Handling slapd.d in OpenLDAP and Kerberos



Jaap Winius wrote:
Quoting "sarathkrishna89@gmail.com"<sarathkrishna89@gmail.com>:

For authenticating via OpenLDAP, the principles needs to be rewritten (using
authz-policy and authz-regexp). We know how to do
that in older version of OpenLDAP which had (slapd.conf) but don't know how
to do the same in new OpenLDAP which has slapd.d directory instead.
The manuals also doesn't say anything on this issue.

The switch from slapd.conf to cn=config takes a little getting used
to, plus the migration script may not work for you, but in the end I
produced a set of procedures that should tell you most of what you
want to know:

    * Integrated Kerberos-OpenLDAP provider on Debian squeeze
      http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php

    * Integrated Kerberos-OpenLDAP consumer on Debian squeeze
      http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php

True, I didn't use Ubuntu in these examples, but I would not be
surprised if the procedures were almost identical, certainly with
cn=config.

If you read
  http://highlandsun.com/hyc/drafts/draft-chu-ldap-xordered-xx.html

You could simplify your ACL changes in 7.1.1.x.

dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {2}
olcAccess: {1}
olcAccess: {0}
-

Similarly in 7.1.2.x you don't need to specify the prefixes when you're adding rules in order.


Cheers,

Jaap



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/