Re: --with-spasswd, SASL/GSSAPI authentication

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:52 AM 1/10/01 -0800, Tomas Maly wrote:
>What is the "--with-spasswd" configure option for?

This option enables the {SASL} userPassword scheme which
allows LDAP "simple" bind to verify using the Cyrus SASL
library (which in turn might use SASLdb, Kerberos, pwcheckd).

It's primarily meant to be used where you want to use SASLdb
but have LDAP clients which only support "simple" bind.

>How is the feature it
>includes configured and implemented?

You add:
        userPassword:   {SASL}username

(where username is the SASL user name) to the entry being bound to.

>Also, if I use SASL/GSSAPI for my authentication (ldapadd -Y GSSAPI),
>then what, by default, is my dn going to be (the dn it uses to determine
>who I am and what access rights I have on certain attributes/entries)?

In 2.0, the subject dn should be:
        uid=principal

You can check the logs to see what the generated authzdn is.
Depending on your configuration, the principal may or may
not include your Kerberos realm.

>Does SLAPD do a search for my principal (minus the realm) as a "uid"
>attribute, and then return the respective dn that the uid is under?

No.  The authzdn are not mapped (yet).

One generally uses regexes to grant permissions, 


>Let's say my Krb5 principal is "tomas@MVISTA.COM", would it then look
>for my dn using "uid=tomas" as the criteria, and then return let's say
>"dn:uid=tomas,ou=People,dc=mvista,dc=com" as my dn assuming that dn has
>uid set to "tomas"?

access to dn="uid=([^,]+),ou=People,dc=mvista,dc=com"
        by dn="uid=$1(@MVISTA.COM)?" write