[Date Prev][Date Next]
Re: SASL Authentication, DNs and supported SASLMechanisms
At 08:17 AM 2001-08-31, Nels Lindquist wrote:
>On 30 Aug 2001 at 18:18, Kurt D. Zeilenga wrote:
>> >Is there any way to associate an entry of the above form with a DN of
>> >the SASL authorized "uid=username + realm = REALM" form?
>> access to dn="(uid=.*),dc=example,dc=com"
>> by dn="uid=$1 + realm=REALM" write
>Just for clarification--the inference here is that for the ACL system to associate a SASL authenticated
>user with a particular entry, the DN must have at least the UID in common with the SASL authname so that
>a regex ACL can be created.
>Currently my user DNs are of the form cn=[full name],ou=People,o=[Company
>name],c=CA. There *is* a uid field in each entry, but the uids aren't currently part of the DN. It
>looks like I'm going to have to change all my user DNs so that they incorporate the uid. Is this
Basically. The 2.0 code works best when there is some relationship
between the SASL-based authzDN (the subject) and the entry DN (the
target). You could actually use fullnames within SASL and match
"uid=full name + realm=REALM" with "cn=full name,o=Company,c=CA",
but I don't recommend it.
2.1 will have a more sophisticated mapping mechanism.
However, I generally recommend use of uid for person naming
(and dc for context naming). Besides not changing frequently,
they ease programmatic use (such as such mappings, DNS SRV