[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6757) SASL canonicalize doesn't work as documented

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6757) SASL canonicalize doesn't work as documented
From: hyc@symas.com
Date: Fri, 31 Dec 2010 01:27:36 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

b.candler@pobox.com wrote:
> Full_Name: Brian Candler
> Version: 2.4.21
> OS: Ubuntu 10.04.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (87.114.104.19)
>
>
> DOcumentation at http://www.openldap.org/doc/admin24/sasl.html#GSSAPI gives two
> example authorization DNs built from SASL/GSSAPI:
>
> "a user with the Kerberos principal kurt@EXAMPLE.COM would have the associated
> DN:
>          uid=kurt,cn=example.com,cn=gssapi,cn=auth
> and the principal ursula/admin@FOREIGN.REALM would have the associated DN:
>          uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth"
>
> Experimentation shows that the actual behaviour is different.
>
> You could treat this either as a behaviour error or a documentation error - if
> the latter, the olcSaslRealm is pretty useless, because if set it appears in all
> auth DNs (for both local and foreign realms)

Could be a bug, but we're using the parameters as documented by Cyrus. I 
suggest you file this bug report with them instead.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6755) ldapsearch crashes - double free or corruption (!prev): 0x0989f5f8
Next by Date: (ITS#6760) rwm broken entry handling
Index(es):
- Chronological
- Thread