[Date Prev][Date Next]
Re: ACL/ACI && SASL
Turbo Fredriksson wrote:
"Quanah" == Quanah Gibson-Mount <email@example.com> writes:
Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName
Quanah> to do the mappings you are talking about, which indeed
Quanah> allows us to have more flexible ACL's.
Could you give me some ACL/ACI examples on how you have set it up?
We do exactly the same. You need to use a saslregexp to translate the
Kerberos SASL identity into an LDAP username - we use:
saslRegexp uid=(.*),cn=(.*),cn=GSSAPI,cn=auth \
(We're storing a user's Kerberos principal in the krbName attribute)
Quanah> I will note that for the servers, you will want to compile
Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
Quanah> using threads, as your servers will not be stable
Quanah> otherwise. ;) For clients, it doesn't really matter too
We've patched Cyrus SASL 1.x locally to add support for a mutex around
GSSAPI operations. Providing that _every_ GSSAPI operation is mutex
protected, slapd seems to run fine with MIT Kerberos. I'm happy to make
the patch available to anyone who's interested.