Re: Anonymously binding despite '-U ....' to ldapsearch

[Turbo Fredriksson <turbo@bayour.com>]

>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:

    Howard> I suppose it would be too obvious to presume that your
    Howard> users in different parts of your tree are also using
    Howard> different Kerberos realms.

You wish! :) I've thought about it, but multiple realms on the same
host sounded to complex for 100 users (system will NEVER be bigger
than perhaps 500 users)...

    Howard> If they aren't in unique realms, you have a problem,
    Howard> because you would be mapping names from a single Kerberos
    Howard> namespace into multiple LDAP namespaces, and you have no
    Howard> way to resolve the conflict if the same uid appears in
    Howard> multiple LDAP DNs.

Hmm... That's a problem I've been thinking about for a while now.
I have three 'Peter <something>' on the system, and they all like
to have 'peter' as login, but "naturaly" only one can (my brother :).

Is there any (easy) way to have multiple realms in the same database
(don't want different ports and such)?

    Howard> With only a single Kerberos realm, you can do

    Howard> sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
    Howard> ldap:///dc=com??sub?(uid=$1)

But that REQUIRE that the user exists (?). Maybe is a good thing, but
my first attempt (directly mapping to where I'm located in the tree)
works even if I don't have a object...

Oki, that regexp works fine. Thanx... Now all I have to do is really
stresstest it more, and maybe I can replace my OpenLDAP 2.0 production
servers eventually :)

-- 
Qaddafi Ortega DES explosion domestic disruption Soviet Cuba
fissionable tritium cracking Saddam Hussein Rule Psix class struggle
genetic North Korea
[See http://www.aclu.org/echelonwatch/index.html for more about this]