Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 15.2.5. Direct Mapping
- Where possible, direct mapping of the authentication request DN to the user's DN is generally recommended. Aside from avoiding the expense of searching for the user's DN, it allows mapping to DNs which refer to entries not held by this server.
- Suppose the authentication request DN is written as:
- uid=adamson,cn=example.com,cn=gssapi,cn=auth
- and the user's actual LDAP entry is:
- uid=adamson,ou=people,dc=example,dc=com
- then the following authz-regexp directive in slapd.conf(5) would provide for direct mapping.
- authz-regexp
- uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
- uid=$1,ou=people,dc=example,dc=com
- An even more lenient rule could be written as
- authz-regexp
- uid=([^,]*),cn=[^,]*,cn=auth
- uid=$1,ou=people,dc=example,dc=com
- Be careful about setting the search pattern too leniently, however, since it may mistakenly allow persons to become authenticated as a DN to which they should not have access. It is better to write several strict directives than one lenient directive which has security holes. If there is only one authentication mechanism in place at your site, and zero or one realms in use, you might be able to map between authentication identities and LDAP DN's with a single authz-regexp directive.
- Don't forget to allow for the case where the realm is omitted as well as the case with an explicitly specified realm. This may well require a separate authz-regexp directive for each case, with the explicit-realm entry being listed first.
Add Comment
Please, Sign In to add comment