[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krb5PrincipalName and userPassword

To: openldap-software@openldap.org
Subject: Re: krb5PrincipalName and userPassword
From: Turbo Fredriksson <turbo@bayour.com>
Date: Sat, 15 Sep 2007 20:23:29 +0200
In-reply-to: <200709101600.47189.bgmilne@staff.telkomsa.net> (Buchan Milne's message of "Mon, 10 Sep 2007 16:00:46 +0200")
Organization: LDAP/Kerberos expert wannabe
References: <87ps0upkjq.fsf@pumba.bayour.com> <46E1C4B0.1000904@sys-net.it> <87d4wtowbq.fsf@pumba.bayour.com> <200709101600.47189.bgmilne@staff.telkomsa.net>
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.95 (gnu/linux)

>>>>> "Buchan" == Buchan Milne <bgmilne@staff.telkomsa.net> writes:

    Buchan> As such, the LDAP server wasn't even consulted about
    Buchan> whether it knows anything about your account, only that it
    Buchan> should map your SASL identity to a DN (that need not exist
    Buchan> in the directory).

So what's the point of having {SASL} in the userPassword then?

And if it wasn't the sasl regexp, shouldn't my auth req DN be:

    uid=turbo,cn=REALM,cn=sasl,cn=auth

And that DN don't have any special access, so how come I got
full access to the object(s), and not the anonymous read access
that I expected?

'only that it should map your SASL identity to a DN'... That's
translated into a 'correct' DN by the sasl regexp - which worked... ?

Follow-Ups:
- Re: krb5PrincipalName and userPassword
  - From: Howard Chu <hyc@symas.com>

References:
- krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: krb5PrincipalName and userPassword
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: krb5PrincipalName and userPassword
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: LDAP error code 32
Next by Date: Re: LDAP error code 32
Index(es):
- Chronological
- Thread