[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Changes 2.0.x -> 2.1.x
Hi,
thanks for the quick answer :o)
Howard Chu wrote:
>
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Harry Ruter
>
> > Hi List,
> >
> > i'm trying to find out,
> > if i can migrate my 2.0.25-server to the
> > new version 2.1.2.
> >
> > I now want to use the SASL-enhancements in 2.1.2.
> >
> > First, my environment :
> >
> > Suse LINUX 7.1, Kernel 2.4.18
> > MIT Kerberos 1.2.5
> > CYRUS SASL 1.5.27
>
> Cyrus SASL 1.5.27 is very buggy. GSSAPI support is not usable without
> patches.
> I sent the patches to the Cyrus folks but there will not be any more 1.5
> releases
> so those patches will likely never see the light of day.
So should i use another CYRUS-SASL-implemantation ?
Can you publish the patches somewhere or are they already ?
> > I noticed some differences.
> >
> > In 2.0.25 i use the following entry in slapd.conf:
> >
> > updatedn "uid=ldapreplicator\+realm=HRNET.DE"
> >
> > Now, 2.1.2 doesn't like this anymore and shows an
> > errormessage : "line 49: updatedn DN is invalid"
> >
> > So i tried out the following :
> >
> > updatedn
> > "uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth"
> >
> > Is this the correct, does it mean the same ?
>
> Yes, that looks correct.
> >
> > By the way, the documentation doesn't tell to much about
> > this kind of "authentication"-syntax.
> >
> > Would the keywords "SASL" , "KERBEROS_V4 and KERBEROS_V5 be
> > correct instead of "GSSAPI" ?
>
> No. SASL can only use Kerberos 5 thru GSSAPI. "SASL" is not a
> SASL mechanism name. "KERBEROS_V4" is the correct mechanism name for Kerberos
> 4.
That's what i wanted to hear ...
> >
> > In the access-statements i use the following synthax
> > in 2.0.25 :
> >
> > access to attr=uid
> > by dn="uid=ldapreplicator.\+realm=HRNET.DE" write
> > by dn="uid=admin,dc=hrnet,dc=de" read
> > by anonymous search
> > by * none
> >
> > Is this okay, or have i to use another synthax
> > (because the updatedn-synthax changed) ?
>
> The SASL Authentication DN syntax has changed. Anywhere you would specify the
> DN
> of a SASL ID is affected by this change - updatedn, rootdn, DNs in ACLs,
> etc...
Yes, but the old fashion is not rejected in
access-statements. Can both syntaxes "live" together
(accidentaly) ?
> >
> > I think of another way :
> >
> > ldapreplicator@HRNET.DE exists as principal in
> > KERBEROS-V.
> >
> > Now, let's say "ldapreplicator" would be in the "dit" as
> > "uid=ldapreplicator,cn=hrnet,cn=de".
> >
> > If i would try to authenticate via KERBEROS i could use
> > the new saslRegexp this way :
> >
> > saslRegexp
> > uid=ldapreplicator,cn=hrnet.de,cn=KERBEROS_V5,cn=auth
> > uid=ldapreplicator,cn=hrnet,cn=de
>
> no. "KERBEROS_V5" is not a valid SASL mechanism name. use "GSSAPI"
ok
> > If i'd like to authenticate via SASL i would
> > change "cn=KERBEROS_V5" to "cn=SASL" ?
>
> no. "SASL" is not a valid SASL mechanism name.
ok
> >
> > Generally, is there more documentation about
> > SASL,GSSAPI etc as in chapter 9 of the
> > "Administrator's guide ..." and if where can i find it ?
>
> There are new updates to the Administrator's guide that will be released
> soon.
> I believe 2.1.3 will be released soon and the Admin Guide updates will be
> available then, with documentation for all of these features.
Huh, i'm really longing for it :o)
Hope it will wipe out the things i don't understand ...
> >
> > greets to the list
> >
> > Harry
>
> -- Howard Chu
greets Harry