[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL & ACLs



--On Tuesday, August 17, 2004 11:57 AM -0400 "Matthew J. Smith" <matt.smith@uconn.edu> wrote:

My config:
OpenLDAP 2.2.15, compiled from source
SASL/GSSAPI is functional

My problem:  I am looking to configure SyncRepl replication, using
GSSAPI for authentication.  In doing so, I have a couple (hopefully)
quick SASL + ACL questions:

1) Do I have to map (sasl-regexp) my SASL DN
(uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth) to a local
DN (uid=ldaprep,ou=accounts,dc=uconn,dc=edu) to use in ACLs, or can I
simply use uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth
in the "by" clause of an ACL?


You must map it.



2)  In relation to #1, if I want to use a "by group=" clause as follows:

by group="cn=DirectoryReplicators,ou=groups,dc=uconn,dc=edu" read

can I simply add
uid=ldaprep/myldap.uconn.edu,cn=uconn.edu,cn=gssapi,cn=auth as a member
of DirectoryReaders, or do I have to map (sasl-regexp) to a local DN,
and add that DN as a member?


Map to a local DN, and add that DN as a member.


I do see many examples on the web where replication with GSSAPI authn is
configured, using sasl-regexp to map the SASL DN to a local DN, but I
would like to avoid the extra local DN and mapping if possible to reduce
the (admittedly minor) complexity.

Any insight is greatly appreciated!  If any clarification is needed,
please ask.



The bind identity must be tied to a DN.

I suggest reading the open ITS reports at http://www.openldap.org/its/ about syncRepl. There appear to still be a number of issues with it, and adding group complexity doesn't help. I suggest using slurpd for the time being.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html