[Date Prev][Date Next]
RE: Changes 2.0.x -> 2.1.x
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
> Hi List,
> i'm trying to find out,
> if i can migrate my 2.0.25-server to the
> new version 2.1.2.
> I now want to use the SASL-enhancements in 2.1.2.
> First, my environment :
> Suse LINUX 7.1, Kernel 2.4.18
> MIT Kerberos 1.2.5
> CYRUS SASL 1.5.27
Cyrus SASL 1.5.27 is very buggy. GSSAPI support is not usable without
I sent the patches to the Cyrus folks but there will not be any more 1.5
so those patches will likely never see the light of day.
> I noticed some differences.
> In 2.0.25 i use the following entry in slapd.conf:
> updatedn "uid=ldapreplicator\+realm=HRNET.DE"
> Now, 2.1.2 doesn't like this anymore and shows an
> errormessage : "line 49: updatedn DN is invalid"
> So i tried out the following :
> Is this the correct, does it mean the same ?
Yes, that looks correct.
> By the way, the documentation doesn't tell to much about
> this kind of "authentication"-syntax.
> Would the keywords "SASL" , "KERBEROS_V4 and KERBEROS_V5 be
> correct instead of "GSSAPI" ?
No. SASL can only use Kerberos 5 thru GSSAPI. "SASL" is not a
SASL mechanism name. "KERBEROS_V4" is the correct mechanism name for Kerberos
> In the access-statements i use the following synthax
> in 2.0.25 :
> access to attr=uid
> by dn="uid=ldapreplicator.\+realm=HRNET.DE" write
> by dn="uid=admin,dc=hrnet,dc=de" read
> by anonymous search
> by * none
> Is this okay, or have i to use another synthax
> (because the updatedn-synthax changed) ?
The SASL Authentication DN syntax has changed. Anywhere you would specify the
of a SASL ID is affected by this change - updatedn, rootdn, DNs in ACLs,
> I think of another way :
> ldapreplicator@HRNET.DE exists as principal in
> Now, let's say "ldapreplicator" would be in the "dit" as
> If i would try to authenticate via KERBEROS i could use
> the new saslRegexp this way :
no. "KERBEROS_V5" is not a valid SASL mechanism name. use "GSSAPI"
> If i'd like to authenticate via SASL i would
> change "cn=KERBEROS_V5" to "cn=SASL" ?
no. "SASL" is not a valid SASL mechanism name.
> Generally, is there more documentation about
> SASL,GSSAPI etc as in chapter 9 of the
> "Administrator's guide ..." and if where can i find it ?
There are new updates to the Administrator's guide that will be released
I believe 2.1.3 will be released soon and the Admin Guide updates will be
available then, with documentation for all of these features.
> greets to the list
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support