[Date Prev][Date Next]
Re: SASL & ACLs
--On Tuesday, August 17, 2004 2:46 PM -0400 "Matthew J. Smith"
No. It's recommended that all your SASL DNs be mapped to existing
entries in your directory, but it's not required. The SASL DN is still a
legal DN after all. If you understand what you're doing, go ahead and
Thank you both for your answers so far -- I have found posts by you two
dating back to ~2000 very helpful.
So, to follow up -- assuming I do not want to map the DN if it is
possible. Will a group acl (by group="...") referencing a group
containg the unmapped SASL DN as a member be properly resolved and
applied, or does the mapping need to be done for this resolution to
Hm, well, I've never tested that, but since it is a valid DN, and the group
membership for a static group is by DN, I'd assume it would work.
This gets off into an interesting side-bar on group memberships in general
though, if one ponders things like automatic addition of "memberOf"
attributes to DN's when they are added to groups -- What do you do if the
DN doesn't exist in the DB as an entry, because it is being done in this
In my dev environment, I do use a group for syncRepl, but the DN's also
exist in the DB in my case. My intention was to use this as a way of
keeping my environments from accidentally talking to the wrong master if
they got configured wrong.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html