directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pierre-Arnaud Marcelot (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DIRSERVER-1453) Map SASL principals to DNs for ACI validation
Date Fri, 26 Aug 2011 16:26:34 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Pierre-Arnaud Marcelot updated DIRSERVER-1453:
----------------------------------------------

    Fix Version/s:     (was: 2.0.0-M2)
                   2.0.0-M3

> Map SASL principals to DNs for ACI validation
> ---------------------------------------------
>
>                 Key: DIRSERVER-1453
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1453
>             Project: Directory ApacheDS
>          Issue Type: New Feature
>            Reporter: Aaron J Angel
>             Fix For: 2.0.0-M3
>
>
> SASL authentication is not useful when using access control entries for authorization.
 Access control is based on a user's DN, but SASL principals/userIDs do not appear to be automatically
mapped to the appropriate user's DN.  For example, if I authentication using GSSAPI as the
user 'aKrbUser', whose credentials are stored in entry uid=aKrbUser,dc=example,dc=com, the
user should be authenticated to the directory and mapped to uid=aKrbUser,dc=example,dc=com
for access control validation.
> See OpenLDAP's sasl-regexp parameter in slapd.conf for reference.  Example:
> sasl-regexp cn=(.*),cn=example.com,cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub?(uid=$1)
> In OpenLDAP, the above line would search the directory context dc=example,dc=com for
an entry where the uid attribute value matches the GSSAPI user ID and assign assign the entry's
DN as the binddn.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message