[Date Prev][Date Next]
RE: Anonymously binding despite '-U ....' to ldapsearch
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson
> Is there any (easy) way to have multiple realms in the same database
> (don't want different ports and such)?
Sure. The Heimdal database can record principals from any number of realms.
In Kerberos 5 the realm name the client wants is part of the authentication
handshake, so the KDC can distinguish them easily enough. (Kerberos 4 would
be a problem.)
> Howard> With only a single Kerberos realm, you can do
> Howard> sasl-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
> Howard> ldap:///dc=com??sub?(uid=$1)
> But that REQUIRE that the user exists (?). Maybe is a good thing, but
> my first attempt (directly mapping to where I'm located in the tree)
> works even if I don't have a object...
Yes. It also actually executes a search, which may be slow, while the direct
mapping is fast. Of course, if you have uid indexed, and you only expect
about 100-500 users anyway, I'm sure it will be fast enough either way.
> Oki, that regexp works fine. Thanx... Now all I have to do is really
> stresstest it more, and maybe I can replace my OpenLDAP 2.0 production
> servers eventually :)
The 2.1 servers stand up to quite a lot more load than the 2.0 servers...
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support