[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: --with-spasswd, SASL/GSSAPI authentication

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: --with-spasswd, SASL/GSSAPI authentication
From: malyprogservices@flashmail.com
Date: Fri, 26 Jan 2001 10:25:06 -0800
Cc: openldap-software@OpenLDAP.org
References: <5.0.2.1.0.20010110100539.00aa7ec0@router.boolean.net>

Is there a way to prevent OpenLDAP 2.0.7 and SASL from opening (or
attempting to open) /etc/sasldb? I've gotten the implication somehow or
another that I can specify that LDAP is FORCED to use a certain
pwcheck_method (GSSAPI in my case), by creating a file
/usr/lib/sasl/slapd.conf file with that option ("pwcheck_method:
gssapi"). Is that correct?

"Kurt D. Zeilenga" wrote:
> 
> At 09:52 AM 1/10/01 -0800, Tomas Maly wrote:
> >What is the "--with-spasswd" configure option for?
> 
> This option enables the {SASL} userPassword scheme which
> allows LDAP "simple" bind to verify using the Cyrus SASL
> library (which in turn might use SASLdb, Kerberos, pwcheckd).
> 
> It's primarily meant to be used where you want to use SASLdb
> but have LDAP clients which only support "simple" bind.
> 
> >How is the feature it
> >includes configured and implemented?
> 
> You add:
>         userPassword:   {SASL}username
> 
> (where username is the SASL user name) to the entry being bound to.
> 
> >Also, if I use SASL/GSSAPI for my authentication (ldapadd -Y GSSAPI),
> >then what, by default, is my dn going to be (the dn it uses to determine
> >who I am and what access rights I have on certain attributes/entries)?
> 
> In 2.0, the subject dn should be:
>         uid=principal
> 
> You can check the logs to see what the generated authzdn is.
> Depending on your configuration, the principal may or may
> not include your Kerberos realm.
> 
> >Does SLAPD do a search for my principal (minus the realm) as a "uid"
> >attribute, and then return the respective dn that the uid is under?
> 
> No.  The authzdn are not mapped (yet).
> 
> One generally uses regexes to grant permissions,
> 
> >Let's say my Krb5 principal is "tomas@MVISTA.COM", would it then look
> >for my dn using "uid=tomas" as the criteria, and then return let's say
> >"dn:uid=tomas,ou=People,dc=mvista,dc=com" as my dn assuming that dn has
> >uid set to "tomas"?
> 
> access to dn="uid=([^,]+),ou=People,dc=mvista,dc=com"
>         by dn="uid=$1(@MVISTA.COM)?" write

--
Tomas Maly
"IT Freak"
MontaVista Software
(408) 328-8429
tmaly@mvista.com

Follow-Ups:
- Re: --with-spasswd, SASL/GSSAPI authentication
  - From: GOMBAS Gabor <gombasg@inf.elte.hu>

References:
- Re: --with-spasswd, SASL/GSSAPI authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ldapsearch -x... flag not recognized
Next by Date: Complex access control lists
Index(es):
- Chronological
- Thread