From: Howard Chu Date: Mon, 15 Feb 2021 14:11:44 +0000 (+0000) Subject: ITS#6757 fix GSSAPI realm examples X-Git-Tag: OPENLDAP_REL_ENG_2_5_2BETA~4^2~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=549d6a2ba2c40c2102d1643476cb7c6e478ef838;p=thirdparty%2Fopenldap.git ITS#6757 fix GSSAPI realm examples --- diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index beee731d1a..920834018a 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -138,25 +138,35 @@ command option. For the purposes of authentication and authorization, {{slapd}}(8) associates an authentication request DN of the form: -> uid=,cn=,cn=gssapi,cn=auth +> uid=,cn=gssapi,cn=auth + +The realm is omitted by Cyrus SASL if it's equal to the default realm of the +server in {{FILE:/etc/krb5.conf}}. Continuing our example, a user with the Kerberos principal {{EX:kurt@EXAMPLE.COM}} would have the associated DN: -> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=kurt,cn=gssapi,cn=auth and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the associated DN: -> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth -The authentication request DN can be used directly ACLs and +The authentication request DN can be used directly in ACLs and {{EX:groupOfNames}} "member" attributes, since it is of legitimate LDAP DN format. Or alternatively, the authentication DN could be mapped before use. See the section {{SECT:Mapping Authentication Identities}} for details. +If you configure the {{olcSaslRealm}} then it will be inserted as +an extra component in the authorization DN, regardless of any +Kerberos realms in use. For example, if you set olcSaslRealm to +{{EX:example.com}} then you will get: + +> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth H3: KERBEROS_V4