Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/ldif
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/ldif
Modified Files:
template-dse.ldif.in
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use
SASL to connect to the farm server, and allowing SASL authentication to chain. I had to
add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of
the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and
correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id.
This search could not be chained due to the way it was coded. So I added a new chainable
component called cn=sasl and changed the sasl internal search code to use this component
ID. This allows the sasl code to work with a chained backend. In order to use chaining
with sasl, this component must be set in the chaining configuration
nsActiveChainingComponents. I also discovered that password policy must be configured
too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code
improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Index: template-dse.ldif.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/ldif/template-dse.ldif.in,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- template-dse.ldif.in 1 Jul 2008 22:30:05 -0000 1.9
+++ template-dse.ldif.in 5 Nov 2008 18:21:05 -0000 1.10
@@ -752,6 +752,9 @@
nsTransmittedControls: 1.3.6.1.4.1.1466.29539.12
nsPossibleChainingComponents: cn=resource limits,cn=components,cn=config
nsPossibleChainingComponents: cn=certificate-based
authentication,cn=components,cn=config
+nsPossibleChainingComponents: cn=password policy,cn=components,cn=config
+nsPossibleChainingComponents: cn=sasl,cn=components,cn=config
+nsPossibleChainingComponents: cn=roles,cn=components,cn=config
nsPossibleChainingComponents: cn=ACL Plugin,cn=plugins,cn=config
nsPossibleChainingComponents: cn=old plugin,cn=plugins,cn=config
nsPossibleChainingComponents: cn=referential integrity
postoperation,cn=plugins,cn=config
Show replies by date