Commit 549d6a2b authored by Howard Chu's avatar Howard Chu
Browse files

ITS#6757 fix GSSAPI realm examples

parent 0b769a44
......@@ -138,25 +138,35 @@ command option.
For the purposes of authentication and authorization, {{slapd}}(8)
associates an authentication request DN of the form:
> uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
> uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
The realm is omitted by Cyrus SASL if it's equal to the default realm of the
server in {{FILE:/etc/krb5.conf}}.
Continuing our example, a user with the Kerberos principal
{{EX:kurt@EXAMPLE.COM}} would have the associated DN:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth
> uid=kurt,cn=gssapi,cn=auth
and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
associated DN:
> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
The authentication request DN can be used directly ACLs and
The authentication request DN can be used directly in ACLs and
{{EX:groupOfNames}} "member" attributes, since it is of legitimate
LDAP DN format. Or alternatively, the authentication DN could be
mapped before use. See the section {{SECT:Mapping Authentication
Identities}} for details.
If you configure the {{olcSaslRealm}} then it will be inserted as
an extra component in the authorization DN, regardless of any
Kerberos realms in use. For example, if you set olcSaslRealm to
{{EX:example.com}} then you will get:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth
> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
H3: KERBEROS_V4
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment