[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

On Thu, 2002-04-18 at 07:23, Howard Chu wrote:

> The rootpw config has nothing to do with SASL. In the 2.0.x release the only
> valid DNs for a SASL bind are of the form "uid=<username> + realm=<realm>"
> If you want "ldapadmin@REALM" to be treated as your server root then you
> need to
> configure
> 	rootdn	"uid=ldapadmin + realm=REALM"

Followup guestion.  Since the userPassword field is obviously bogus
(unused) since we don't do a simple bind, how do I configure OpenLDAP to
only allow certain principals to bind as an arbitrary user?  I read
something a while back about an attribute that could specify multipal
principals, but it used a now depricated ObjectClass.  Basically can I
do something that's the same effect as .k5login on binding to ldap?  Do
I need to do special things in my LDAP acls?  (I imagine so.)

Thaks so much. Appreciate your patience!


> On a SASL bind your rootpw is irrelevant, since SASL will perform the
> authentication using your kerberos ticket.
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
Public key available from http://students.cs.byu.edu/~torriem

Attachment: signature.asc
Description: This is a digitally signed message part