[Date Prev][Date Next] [Chronological] [Thread] [Top]



Kent Soper <dksoper@us.ibm.com> writes:

> Dieter Kluenter writes:
>> Hello,
>> "Milind Khandekar" <MKhandekar@savi.com> writes:
>> SASL username is read from the certificate and than parsed against an
>> entry, so make sure that the distinguished names are equal.
>> -Dieter
> I probably have a simple setup for my slapd, but the DN of the certificate
> does not have to parsed to match an entry in my directory.  If the client
> cert can be verified by the server, client is authenticated.  If a bad
> client cert is used, client is not authenticated.  I didn't even have a
> sasl-regexp in my slapd.conf to get it to work.  However, Kurt Zeilenga did
> suggest to me that I would need to do some mapping of the dn's.

That is in principle correct, you don't need a certificate DN that
matches an entry, but if you have acl's that require a specific DN
access to dn.subtree=cn=Monitor
        by dn.exact="cn=dieter kluenter,ou=partner,o=avci,c=de" write

sasl has to parse sasl username to DN.

Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de