[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: SASL docs?
On Wed, 13 Sep 2000, Kurt D. Zeilenga wrote:
> At 08:47 PM 9/13/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
> >
> >So if I understand this correctly I can use SASL for my rootdn password
> >instead of a cleartext variable in the slapd.conf file but the user
> >passwords will remain using the build-in password types in the 2.0
> >releases. (Just to make sure I have grasped the topic.)
>
> SASL authentication is relies on Cyrus SASL for secret management
> (which may delegate to external service).
> Simple bind authentication uses userPassword value(s) which
> may indicate use of external services ({SASL}, {KERBEROS}, etc.).
So if I have the following in my LDIF file:
dn: cn=Hugo van der Kooij,ou=hugo,dc=vanderkooij,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: hvdkooij
cn: Hugo van der Kooij
sn: van der Kooij
userpassword: {SASL}
It will go to SASL and try to authenticate with uid=hvdkooij and the realm
assigned in the slapd.conf file.
> Note the above ACL is kind of useless. Here is a more useful
> (untested) example:
>
> access to dn="^uid=([^,]+),dc=example,dc=com"
> by dn="uid=$1 \+ realm=EXAMPLE\.COM" write
> by dn="uid=[^,]+.*" read
Hmmm. What benefit would [^,]+ bring over [^,] in this case? + in this
case means one or more where the [^,] forbids the presence of a , in the
part before the domain.
And should I use uid in some other fashion then I describe above? (I justs
added the uid: line without testing.)
Hugo.
--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)