[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: sasl UID mapping

To: Paul Jakma <paul@clubi.ie>, "'OpenLDAP list'" <openldap-software@OpenLDAP.org>
Subject: RE: sasl UID mapping
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Sat, 17 Jan 2004 20:23:45 -0800
Content-disposition: inline
In-reply-to: <Pine.LNX.4.58.0401180324320.9620@fogarty.jakma.org>
References: <043801c3dd71$ffab3880$1801a8c0@CELLO> <Pine.LNX.4.58.0401180324320.9620@fogarty.jakma.org>

--On Sunday, January 18, 2004 3:51 AM +0000 Paul Jakma <paul@clubi.ie> wrote:

Paul,

I'm going to give you a helping hand. :)

We use GSSAPI to auth to our servers.

Here is our SASL regexp:

sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth ldaps:///cn=People,dc=stanford,dc=edu??sub?krb5PrincipalName=$1@$2

Here's the beginning of our ACL file that allows this to happen without given read access:

# $Id: slapd.acl,v 1.124 2003/12/18 03:16:42 quanah Exp $
# ACL include file for slapd
#

access to dn.base=""
       by * read

access to dn.base="cn=monitor"
       by * read

access to * by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 read by * break

access to attrs=krb5PrincipalName,member,suseasstatus
       by anonymous compare
       by * break

access to attrs=entry
       by * read

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- RE: sasl UID mapping
  - From: Paul Jakma <paul@clubi.ie>

References:
- RE: sasl UID mapping
  - From: "Howard Chu" <hyc@highlandsun.com>
- RE: sasl UID mapping
  - From: Paul Jakma <paul@clubi.ie>

Prev by Date: RE: sasl UID mapping
Next by Date: RE: sasl UID mapping
Index(es):
- Chronological
- Thread