directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron J Angel (JIRA)" <>
Subject [jira] Created: (DIRSERVER-1453) Map SASL principals to DNs for ACI validation
Date Mon, 04 Jan 2010 01:10:54 GMT
Map SASL principals to DNs for ACI validation

                 Key: DIRSERVER-1453
             Project: Directory ApacheDS
          Issue Type: New Feature
            Reporter: Aaron J Angel

SASL authentication is not useful when using access control entries for authorization.  Access
control is based on a user's DN, but SASL principals/userIDs do not appear to be automatically
mapped to the appropriate user's DN.  For example, if I authentication using GSSAPI as the
user 'aKrbUser', whose credentials are stored in entry uid=aKrbUser,dc=example,dc=com, the
user should be authenticated to the directory and mapped to uid=aKrbUser,dc=example,dc=com
for access control validation.

See OpenLDAP's sasl-regexp parameter in slapd.conf for reference.  Example:

sasl-regexp cn=(.*),,cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub?(uid=$1)

In OpenLDAP, the above line would search the directory context dc=example,dc=com for an entry
where the uid attribute value matches the GSSAPI user ID and assign assign the entry's DN
as the binddn.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message