[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Another ACL question ...
At 05:28 PM 02/06/2002 -0800, you wrote:
>> 1) directly reference the SASL user id in ACLs, and that it is
>> not planned
>> for implementation.
There's nothing stopping you from defining ACLs that reference a SASL DN
directly:
   access to xyzzy by dn="uid=plugh + realm=plover"
will work fine in the released code.
Is there a way to insert the SASL returned DN? I know I can hard code the 
id, but how do I directly reference the id returned from the client bind?
Additionally, the code in HEAD allows configuration of regexp patterns to
map SASL DNs (as described above) to LDAP DNs (like your
uid=abrock,dc=...).
I will play with this in the next couple weeks ... it sound promising.
Try using "sasl-realm" in your slapd.conf to define a default realm.
Ordinarily this shouldn't even be needed since a properly configured SASL
installation should be able to extract the Kerberos realm name on its own.
This is interesting! So far, I have added NO configuration to SASL since I 
have not been able to find any documentation on the use of SASL with 
Kerberos (I have been browsing their site, mailing archives and docs for 
several weeks). From what I can tell, my guess is that SASL "magically" 
figures everything out from the krb5.conf file.
Also, I have sasl-realm defined in the slapd.conf file. Can you supply an 
example of a working SASL configuration file for Kerberos?
Thanks!
Tony
******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************