Re: SASL & ACLs

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, August 17, 2004 2:46 PM -0400 "Matthew J. Smith" 
<matt.smith@uconn.edu> wrote:

> > No. It's recommended that all your SASL DNs be mapped to existing
> > entries in your directory, but it's not required. The SASL DN is still a
> > legal DN after all. If you understand what you're doing, go ahead and
> > use it.
> Thank you both for your answers so far -- I have found posts by you two
> dating back to ~2000 very helpful.
>
> So, to follow up -- assuming I do not want to map the DN if it is
> possible.  Will a group acl (by group="...") referencing a group
> containg the unmapped SASL DN as a member be properly resolved and
> applied, or does the mapping need to be done for this resolution to
> properly occur?

Hm, well, I've never tested that, but since it is a valid DN, and the group 
membership for a static group is by DN, I'd assume it would work.

This gets off into an interesting side-bar on group memberships in general 
though, if one ponders things like automatic addition of "memberOf" 
attributes to DN's when they are added to groups -- What do you do if the 
DN doesn't exist in the DB as an entry, because it is being done in this 
method.

In my dev environment, I do use a group for syncRepl, but the DN's also 
exist in the DB in my case.  My intention was to use this as a way of 
keeping my environments from accidentally talking to the wrong master if 
they got configured wrong.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html