[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?



Quoting Aleksandar Milivojevic <amilivojevic@pbl.ca>:

> Ah, of course.  It was all in the man page ;-)
>
> Reading and understaning sometimes makes things work ;-)

He! Yeah, 'the list' keeps telling me that all the time. To bad it's
so boring! :)

> Among user's attributes (I was missing krb5PrincipalName that search
> in sasl-regexp looks for):
>
> userPassword: {SASL}username@EXAMPLE.COM
> krb5PrincipalName: username@EXAMPLE.COM

Well, this was my initial design 'a long time ago' when slapd wasn't as
evolved as it is now (and sasl-regexp didn't exists). But, from the top
of my head, you SHOULD be able to do without the 'krb5PrincipalName'
and it's object class...

Something like this should do it (also look at the rest of the thread -
the sasl-regexp is case insensitive):

sasl-regex
 uid=(.*),cn=(.*),cn=gssapi,cn=auth
 ldap:///ou=accts,dc=example,dc=com??sub(userPassword=\{SASL\}$1@$2)

This will support your multiple realms (as long as domain and realm
matches!)

Hm, no it wouldn't - unless you find a way to extract 'example' and 'com'
as two separate entities (for use instead of 'dc=example,dc=com'). I
know it's possible to do this (I've seen it done), but I have no
idea how to do it...