A SASL/Kerberos question..

Sam Hartman hartmans at MIT.EDU
Fri Apr 19 15:32:56 EDT 2002


>>>>> "Nils" == Nils Olav Selåsdal <noselasd at frisurf.no> writes:

    Nils> Am I bound to and dn when i use SASL/GSSAPI ? I get my TGT
    Nils> for noselasd at FIANE.INTRA and do e.g. a 'ldapsearch -h lfs
    Nils> -LLL', who am I now authorized/bound as on the ldap server?
    Nils> What I want is that noselasd at FIANE.INTRA binds as
    Nils> uid=noselasd,ou=People,dc=fiane,dc=intra Some explanations

This is server dependent.  For OpenLDAP, you get something like
uid:sasl_name as your identity.  For example here is an entry from my
OpenLDAP ACL:

         by dn="uid=.*/admin" write
         # The admin dn has full write access
           by dn="uid=.*/admin" write
           

So, you are bound to a DN, but it's not really all that distinguished
and probably doesn't exist in your database.  This is probably not
ideal.




More information about the Kerberos mailing list