[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: --with-spasswd, SASL/GSSAPI authentication

Is there a way to prevent OpenLDAP 2.0.7 and SASL from opening (or
attempting to open) /etc/sasldb? I've gotten the implication somehow or
another that I can specify that LDAP is FORCED to use a certain
pwcheck_method (GSSAPI in my case), by creating a file
/usr/lib/sasl/slapd.conf file with that option ("pwcheck_method:
gssapi"). Is that correct?

"Kurt D. Zeilenga" wrote:
> At 09:52 AM 1/10/01 -0800, Tomas Maly wrote:
> >What is the "--with-spasswd" configure option for?
> This option enables the {SASL} userPassword scheme which
> allows LDAP "simple" bind to verify using the Cyrus SASL
> library (which in turn might use SASLdb, Kerberos, pwcheckd).
> It's primarily meant to be used where you want to use SASLdb
> but have LDAP clients which only support "simple" bind.
> >How is the feature it
> >includes configured and implemented?
> You add:
>         userPassword:   {SASL}username
> (where username is the SASL user name) to the entry being bound to.
> >Also, if I use SASL/GSSAPI for my authentication (ldapadd -Y GSSAPI),
> >then what, by default, is my dn going to be (the dn it uses to determine
> >who I am and what access rights I have on certain attributes/entries)?
> In 2.0, the subject dn should be:
>         uid=principal
> You can check the logs to see what the generated authzdn is.
> Depending on your configuration, the principal may or may
> not include your Kerberos realm.
> >Does SLAPD do a search for my principal (minus the realm) as a "uid"
> >attribute, and then return the respective dn that the uid is under?
> No.  The authzdn are not mapped (yet).
> One generally uses regexes to grant permissions,
> >Let's say my Krb5 principal is "tomas@MVISTA.COM", would it then look
> >for my dn using "uid=tomas" as the criteria, and then return let's say
> >"dn:uid=tomas,ou=People,dc=mvista,dc=com" as my dn assuming that dn has
> >uid set to "tomas"?
> access to dn="uid=([^,]+),ou=People,dc=mvista,dc=com"
>         by dn="uid=$1(@MVISTA.COM)?" write

Tomas Maly
"IT Freak"
MontaVista Software
(408) 328-8429