[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL docs?

On Wed, 13 Sep 2000, Kurt D. Zeilenga wrote:

> At 08:47 PM 9/13/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
> >
> >So if I understand this correctly I can use SASL for my rootdn password
> >instead of a cleartext variable in the slapd.conf file but the user
> >passwords will remain using the build-in password types in the 2.0
> >releases. (Just to make sure I have grasped the topic.)
> SASL authentication is relies on Cyrus SASL for secret management
> (which may delegate to external service).
> Simple bind authentication uses userPassword value(s) which
> may indicate use of external services ({SASL}, {KERBEROS}, etc.).

So if I have the following in my LDIF file:

dn: cn=Hugo van der Kooij,ou=hugo,dc=vanderkooij,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
uid: hvdkooij
cn: Hugo van der Kooij
sn: van der Kooij
userpassword: {SASL}

It will go to SASL and try to authenticate with uid=hvdkooij and the realm
assigned in the slapd.conf file.

> Note the above ACL is kind of useless.  Here is a more useful
> (untested) example:
>         access to dn="^uid=([^,]+),dc=example,dc=com"
>                 by dn="uid=$1 \+ realm=EXAMPLE\.COM" write
>                 by dn="uid=[^,]+.*" read

Hmmm. What benefit would [^,]+ bring over [^,] in this case? + in this
case means one or more where the [^,] forbids the presence of a , in the
part before the domain.

And should I use uid in some other fashion then I describe above? (I justs
added the uid: line without testing.)


Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij@caiw.nl	http://home.kabelfoon.nl/~hvdkooij/
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)