[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL docs?

At 08:47 PM 9/13/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
>On Mon, 11 Sep 2000, Kurt D. Zeilenga wrote:
>> At 10:05 PM 9/11/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
>> >
>> >I installed SASL and compiled OpenLDAP 2.0.1 so it now has SASL support.
>> >Unfortunatly I failed to read/find the proper documentation to get import
>> >my ldif file now.
>> >So I would welcome some pointers (URL) to SASL documentation or even
>> >better a hint to get SASL + OpenLDAP usable for me.
>> Add users to your SASLdb using saslpasswd(1) or external authenication
>> service (such as Kerberos V).  slapd(8) will automatically authenticate
>> any valid SASL user and assign an authorization DN of the form
>> "uid=username + realm=REALM".  Depending on the mechanism/configuration
>> (sasl-realm), the form might also be "uid=username@KREALM" (GSSAPI) or
>> just "uid=username".  Once you get successful authentication, you can
>> look at slapd.conf to see what authorization DNs are being produced.
>> You can then make use of the authorization DNs in ACLs or rootdn
>> specications: 
>>   rootdn "uid=user"
>> or
>>   rootdn "uid=user + realm=EXAMPLE.COM"
>> and:
>>   access to * by dn="uid=[^,]*" self write
>So if I understand this correctly I can use SASL for my rootdn password
>instead of a cleartext variable in the slapd.conf file but the user
>passwords will remain using the build-in password types in the 2.0
>releases. (Just to make sure I have grasped the topic.)

SASL authentication is relies on Cyrus SASL for secret management
(which may delegate to external service).
Simple bind authentication uses userPassword value(s) which
may indicate use of external services ({SASL}, {KERBEROS}, etc.).

Note the above ACL is kind of useless.  Here is a more useful
(untested) example:

        access to dn="^uid=([^,]+),dc=example,dc=com"
                by dn="uid=$1 \+ realm=EXAMPLE\.COM" write
                by dn="uid=[^,]+.*" read