directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quanah Gibson-Mount <>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 16:43:23 GMT

--On Friday, August 04, 2006 11:24 AM -0400 Alex Karasulu 
<> wrote:

> You mean the principal's entry may be in some place in the directory
> which does not follow the domain to DN mapping I guess.  Like ...
> really being in uid=jhenne,ou=users,dc=apache,dc=org
> Yes, yes, this is a reasonable conclusion.
> I was thinking about the following
>> algorithm:
>> 1. map the specified name to a base dn, like in your example. This might
>> be up to a specialized authentication module.
>> 2. search this base dn for matching users
>> 3. bind using this user's DN.
>> You are right, of course, that the search still needs to be carried out.
>> However, we're saving a network round-trip.
> We might want to look at making a custom SASL mechanism to do this as
> well.

You may want to look at how the "authz-regexp" pieces work in OpenLDAP, 
which allow you to map SASL identities to entries in the server based on 
regular expressions.

For example, in my system, I have:

authz-regexp uid=(.*)/cgi,,cn=gssapi,cn=auth 
authz-regexp uid=service/(.*),,cn=gssapi,cn=auth 
authz-regexp uid=webauth/(.*),,cn=gssapi,cn=auth 
authz-regexp uid=(.*),,cn=gssapi,cn=auth 

Stanford uses SASL/GSSAPI as a binding mechanism, and this allows me to map 
different types of Kerberos identities into different parts of the tree.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key:

View raw message