[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Another ACL question ...

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Anthony Brock

> By the absolute silence in response to any of these queries, I
> gather that
> in the integration of Kerberos and LDAP there is no way to:

Silence generally just means folks are too busy to answer. It may also mean
the question has been asked and answered before and no one feels motivated
enough to dredge up the FAQ yet another time.

> 1) directly reference the SASL user id in ACLs, and that it is
> not planned
> for implementation.

There's nothing stopping you from defining ACLs that reference a SASL DN
   access to xyzzy by dn="uid=plugh + realm=plover"
will work fine in the released code.

As for what's planned, all you have to do is look thru the code in HEAD to
see what's on the way. In particular, the new code in HEAD changes
the default SASL DN format to something like:

The new code should appear in the 2.1alpha release.

> 2) automate the association of "uid=abrock" and "DN: uid=abrock,dc=...."
> (allowing use of the "self" attribute in ACLs).

Additionally, the code in HEAD allows configuration of regexp patterns to
map SASL DNs (as described above) to LDAP DNs (like your uid=abrock,dc=...).

If you're interested you should build the HEAD code and run some tests with
your data on it.
> Assuming these as fact, I currently have only one other question. When
> using Kerberos our test LDAP server returns an authzdn of:
> do_sasl_bind: dn () mech GSSAPI
> SASL Authorize [conn=0]: "tempid" as "u:tempid"
> slap_sasl_bind: username="u:tempid" realm="" ssf=56
> <== slap_sasl_bind: authzdn: "uid=tempid"
> send_ldap_sasl: err=0 len=-1
> How do you configure LDAP to return the REALM as well as the uid, instead
> of just realm=""?

Try using "sasl-realm" in your slapd.conf to define a default realm.
Ordinarily this shouldn't even be needed since a properly configured SASL
installation should be able to extract the Kerberos realm name on its own.
> Thanks for any ideas/clarification. So far, the product seems to
> have come
> a LONG way in the past 2 years! Well done!
> Tony

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support