From 549d6a2ba2c40c2102d1643476cb7c6e478ef838 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Mon, 15 Feb 2021 14:11:44 +0000 Subject: [PATCH] ITS#6757 fix GSSAPI realm examples --- doc/guide/admin/sasl.sdf | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index beee731d1a..920834018a 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -138,25 +138,35 @@ command option. For the purposes of authentication and authorization, {{slapd}}(8) associates an authentication request DN of the form: -> uid=,cn=,cn=gssapi,cn=auth +> uid=,cn=gssapi,cn=auth + +The realm is omitted by Cyrus SASL if it's equal to the default realm of the +server in {{FILE:/etc/krb5.conf}}. Continuing our example, a user with the Kerberos principal {{EX:kurt@EXAMPLE.COM}} would have the associated DN: -> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=kurt,cn=gssapi,cn=auth and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the associated DN: -> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth -The authentication request DN can be used directly ACLs and +The authentication request DN can be used directly in ACLs and {{EX:groupOfNames}} "member" attributes, since it is of legitimate LDAP DN format. Or alternatively, the authentication DN could be mapped before use. See the section {{SECT:Mapping Authentication Identities}} for details. +If you configure the {{olcSaslRealm}} then it will be inserted as +an extra component in the authorization DN, regardless of any +Kerberos realms in use. For example, if you set olcSaslRealm to +{{EX:example.com}} then you will get: + +> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth H3: KERBEROS_V4