Re: SASL docs?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:05 PM 9/11/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
>Hi,
>
>I installed SASL and compiled OpenLDAP 2.0.1 so it now has SASL support.
>Unfortunatly I failed to read/find the proper documentation to get import
>my ldif file now.

Proper documentation has yet to be written.  Volunteers welcomed
to "jump on in."

No changes(*) to the directory are needed to use SASL as OpenLDAP 2.0
relies upon Cyrus SASL's to handle such.  That is, 2.0 doesn't support
in directory storage of SASL authentication secrets.  2.1 support
for such is under development.

* unless you want to use "userPassword: {SASL}user" simple bind support
[of course, the whole point of SASL in LDAP is to avoid simple bind].

>So I would welcome some pointers (URL) to SASL documentation or even
>better a hint to get SASL + OpenLDAP usable for me.

Add users to your SASLdb using saslpasswd(1) or external authenication
service (such as Kerberos V).  slapd(8) will automatically authenticate
any valid SASL user and assign an authorization DN of the form
"uid=username + realm=REALM".  Depending on the mechanism/configuration
(sasl-realm), the form might also be "uid=username@KREALM" (GSSAPI) or
just "uid=username".  Once you get successful authentication, you can
look at slapd.conf to see what authorization DNs are being produced.

You can then make use of the authorization DNs in ACLs or rootdn
specications: 
  rootdn "uid=user"
or
  rootdn "uid=user + realm=EXAMPLE.COM"

and:
  access to * by dn="uid=[^,]*" self write