[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6757) SASL canonicalize doesn't work as documented

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6757) SASL canonicalize doesn't work as documented
From: B.Candler@pobox.com
Date: Tue, 11 Jan 2011 03:38:00 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On Mon, Jan 10, 2011 at 11:48:37AM -0800, Howard Chu wrote:
> >No problem. I propose the following to bring the docs in line with
> >behaviour.
> 
> This looks a bit too specific, the olcSaslRealm setting affects
> other SASL mechanisms too.

True, although this text is under the GSSAPI subheading so I would read it
as specific to the GSSAPI mechanism.

> For GSSAPI it should probably just say
> not to specify olcSaslRealm at all since the mechanism has its own
> notion of realms already.

If they are using a mixture of SASL mechanisms then they might need to set
olcSaslRealm for the benefit of another one.

How about this:

-------------------------------------------------------------------
If you are using only GSSAPI authentication then you should not configure
olcSaslRealm. If you do, then it is always inserted as an extra
component in the authorization DN, regardless of the realm of the client.
For example, if you set olcSaslRealm to {{EX:example.com}} then you will
get:

    uid=kurt,cn=example.com,cn=gssapi,cn=auth
    uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
-------------------------------------------------------------------

Prev by Date: Re: (ITS#6757) SASL canonicalize doesn't work as documented
Next by Date: Re: (ITS#5048) Suspicious use of 'unchecked' limit syncprov
Index(es):
- Chronological
- Thread