ITS#6757 fix GSSAPI realm examples

diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf
index beee731d1a09eeff3c7a6c22d5d68fc98d75d188..920834018a0bd6621c1334474925ed4409e8b4eb 100644 (file)
--- a/doc/guide/admin/sasl.sdf
+++ b/doc/guide/admin/sasl.sdf
@@ -138,25 +138,35 @@ command option.
 For the purposes of authentication and authorization, {{slapd}}(8)
 associates an authentication request DN of the form:
 
->      uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
+>      uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
+
+The realm is omitted by Cyrus SASL if it's equal to the default realm of the
+server in {{FILE:/etc/krb5.conf}}.
 
 Continuing our example, a user with the Kerberos principal
 {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
 
->      uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>      uid=kurt,cn=gssapi,cn=auth
 
 and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
 associated DN:
 
->      uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
+>      uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
 
 
-The authentication request DN can be used directly ACLs and
+The authentication request DN can be used directly in ACLs and
 {{EX:groupOfNames}} "member" attributes, since it is of legitimate
 LDAP DN format.  Or alternatively, the authentication DN could be
 mapped before use.  See the section {{SECT:Mapping Authentication
 Identities}} for details.
 
+If you configure the {{olcSaslRealm}} then it will be inserted as
+an extra component in the authorization DN, regardless of any
+Kerberos realms in use. For example, if you set olcSaslRealm to
+{{EX:example.com}} then you will get:
+
+>      uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>      uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
 
 H3: KERBEROS_V4