Commit 549d6a2b authored by Howard Chu's avatar Howard Chu
Browse files

ITS#6757 fix GSSAPI realm examples

parent 0b769a44
...@@ -138,25 +138,35 @@ command option. ...@@ -138,25 +138,35 @@ command option.
For the purposes of authentication and authorization, {{slapd}}(8) For the purposes of authentication and authorization, {{slapd}}(8)
associates an authentication request DN of the form: associates an authentication request DN of the form:
> uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth > uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
The realm is omitted by Cyrus SASL if it's equal to the default realm of the
server in {{FILE:/etc/krb5.conf}}.
Continuing our example, a user with the Kerberos principal Continuing our example, a user with the Kerberos principal
{{EX:kurt@EXAMPLE.COM}} would have the associated DN: {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth > uid=kurt,cn=gssapi,cn=auth
and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
associated DN: associated DN:
> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth > uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
The authentication request DN can be used directly ACLs and The authentication request DN can be used directly in ACLs and
{{EX:groupOfNames}} "member" attributes, since it is of legitimate {{EX:groupOfNames}} "member" attributes, since it is of legitimate
LDAP DN format. Or alternatively, the authentication DN could be LDAP DN format. Or alternatively, the authentication DN could be
mapped before use. See the section {{SECT:Mapping Authentication mapped before use. See the section {{SECT:Mapping Authentication
Identities}} for details. Identities}} for details.
If you configure the {{olcSaslRealm}} then it will be inserted as
an extra component in the authorization DN, regardless of any
Kerberos realms in use. For example, if you set olcSaslRealm to
{{EX:example.com}} then you will get:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth
> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
H3: KERBEROS_V4 H3: KERBEROS_V4
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment