[Date Prev][Date Next] [Chronological] [Thread] [Top]


My config:
OpenLDAP 2.2.15, compiled from source
SASL/GSSAPI is functional

My problem:  I am looking to configure SyncRepl replication, using
GSSAPI for authentication.  In doing so, I have a couple (hopefully)
quick SASL + ACL questions:

1) Do I have to map (sasl-regexp) my SASL DN
(uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
in the "by" clause of an ACL?

2)  In relation to #1, if I want to use a "by group=" clause as follows:

by group="cn=DirectoryReplicators,ou=groups,dc=uconn,dc=edu" read

can I simply add
uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth as a member
of DirectoryReaders, or do I have to map (sasl-regexp) to a local DN,
and add that DN as a member?

I do see many examples on the web where replication with GSSAPI authn is
configured, using sasl-regexp to map the SASL DN to a local DN, but I
would like to avoid the extra local DN and mapping if possible to reduce
the (admittedly minor) complexity.

Any insight is greatly appreciated!  If any clarification is needed,
please ask.

Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part