[Date Prev][Date Next] [Chronological] [Thread] [Top]


Turbo Fredriksson wrote:
"Quanah" == Quanah Gibson-Mount <quanah@stanford.edu> writes:
            We use
    Quanah> Kerberos V5 extensively, and make use of krb5PrincipalName
    Quanah> to do the mappings you are talking about, which indeed
    Quanah> allows us to have more flexible ACL's.

Could you give me some ACL/ACI examples on how you have set it up?

We do exactly the same. You need to use a saslregexp to translate the Kerberos SASL identity into an LDAP username - we use:

saslRegexp uid=(.*),cn=(.*),cn=GSSAPI,cn=auth \

(We're storing a user's Kerberos principal in the krbName attribute)

    Quanah> I will note that for the servers, you will want to compile
    Quanah> them against Heimdal K5 and NOT MIT Kerberos V5 if you are
    Quanah> using threads, as your servers will not be stable
    Quanah> otherwise. ;) For clients, it doesn't really matter too
    Quanah> much.

We've patched Cyrus SASL 1.x locally to add support for a mutex around GSSAPI operations. Providing that _every_ GSSAPI operation is mutex protected, slapd seems to run fine with MIT Kerberos. I'm happy to make the patch available to anyone who's interested.