15.2.5. Direct MappingWhere possible, direct mapping of the authentication r

1. 15.2.5. Direct Mapping
2.  
3. Where possible, direct mapping of the authentication request DN to the user's DN is generally recommended. Aside from avoiding the expense of searching for the user's DN, it allows mapping to DNs which refer to entries not held by this server.
4.  
5. Suppose the authentication request DN is written as:
6.  
7. uid=adamson,cn=example.com,cn=gssapi,cn=auth
8. and the user's actual LDAP entry is:
9.  
10. uid=adamson,ou=people,dc=example,dc=com
11. then the following authz-regexp directive in slapd.conf(5) would provide for direct mapping.
12.  
13. authz-regexp
14. uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
15. uid=$1,ou=people,dc=example,dc=com
16. An even more lenient rule could be written as
17.  
18. authz-regexp
19. uid=([^,]*),cn=[^,]*,cn=auth
20. uid=$1,ou=people,dc=example,dc=com
21. Be careful about setting the search pattern too leniently, however, since it may mistakenly allow persons to become authenticated as a DN to which they should not have access. It is better to write several strict directives than one lenient directive which has security holes. If there is only one authentication mechanism in place at your site, and zero or one realms in use, you might be able to map between authentication identities and LDAP DN's with a single authz-regexp directive.
22.  
23. Don't forget to allow for the case where the realm is omitted as well as the case with an explicitly specified realm. This may well require a separate authz-regexp directive for each case, with the explicit-realm entry being listed first.