<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Alastair Neil wrote:
<blockquote cite="mid85ac2ef405062415083fdd652@mail.gmail.com"
type="cite"><br>
I would like to configure the DS to use sasl and gssapi to
authenticate against a local kerberos realm. <br>
I have been looking at the administrators guide and I'm a little
confused. <br>
To enable SASL does one simply setup at least one mapping? <br>
An appropriate SASL mapping for gssapi combined with a ldap service
principle plus saslauthd and the<br>
cyrus-sasl-gssapi package should be all I need, correct?<br>
</blockquote>
Yes, I believe so... Also, I think your Directory Server should know
where the keytab is (if not in the default place)...<font
face="Times New Roman, serif"><br>
</font>
<blockquote><font face="Times New Roman, serif">export
KRB5_KTNAME=<i>path_to_service_keytab</i>; start-slapd</font><br>
</blockquote>
<blockquote cite="mid85ac2ef405062415083fdd652@mail.gmail.com"
type="cite">If someone could provide a gssapi sasl mapping example I
would be grateful, I think I want to <br>
map posix uid's to <a href="mailto:uid@REALM.EDU" target="_blank"
onclick="return top.js.OpenExtLink(window,event,this)"><i>uid</i>@REALM.EDU</a>.<br>
</blockquote>
Let's assume your entry in the DS has the DN "dn: uid=<i>uid</i>,o=realm.edu".
Then, the map would be something like this (as seen in "Introduction to
SASL" in the Administrator's Guide):<br>
<p style="margin-bottom: 0cm;"><font face="Times New Roman, serif">dn:
cn=<i>mapname,</i>cn=mapping,cn=sasl,cn=config<br>
objectclass:
top<br>
objectclass:
nsSaslMapping<br>
cn:
<i>mapname</i><br>
nsSaslMapRegexString: (.*)@(.*)<br>
nsSaslMapBaseDNTemplate: uid=\1,o=\2<br>
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)<br>
</font></p>
<br>
Thanks,<br>
--noriko<br>
</body>
</html>