Re: Administrator's Guide needs sasl-host sasl-realm (ITS#2313)

[sfrost@snowman.net]

--muH0jftA0RW8bb09
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Howard Chu (hyc@highlandsun.com) wrote:
> Perhaps you could be more specific about which SASL mechanisms you've used
> that require this extra configuration. I routinely use GSSAPI and DIGEST-=
MD5
> and have never needed to specify sasl-host or sasl-realm in slapd.conf. I
> also use EXTERNAL with TLS which, of course, does not require any additio=
nal
> configuration.
>=20
> In my experience, the default value of sasl-realm is correct and sasl-hos=
t is
> irrelevant. If your experience differs, I believe the problem lies in your
> SASL installation. And while we may view the Admin Guide as a primer to
> setting up OpenLDAP, it is not appropriate to turn it into a primer on ho=
w to
> set up and configure SASL. There are other resources for that.

If sasl-realm is not set then using GSSAPI/MIT Krb5 will return, for exampl=
e:
dn:uid=3Dsfrost/ldap,cn=3Dgssapi,cn=3Dauth

With sasl-realm set it returns:
dn:uid=3Dsfrost/ldap,cn=3Dsnowman.net,cn=3Dgssapi,cn=3Dauth

Personally I feel not having the cn=3Dsnowman.net there is wrong since
Kerberos uses the realm concept.  Note also that the only change done
here was to add sasl-realm to the slapd.conf file.

	Stephen

--muH0jftA0RW8bb09
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+VigPrzgMPqB3kigRAgnYAJ96qy0mLF2l5nIEsDP+lKD3AOa+KQCdGYKQ
O4QyPQhYbJ2GXuwQaD/qlRk=
=L+HH
-----END PGP SIGNATURE-----

--muH0jftA0RW8bb09--