I'm migrating from OpenLDAP to FDS, soon, and I'm trying to establish an
entirely compatible Kerberos auth configuration on the new system. User
authentication wasn't really a problem, but we have one application
which uses a kerberos principal which doesn't map to a DN on the old system.
I'm using this ACI (among others, naturally) on the base DN:
dn: dc=ee,dc=washington,dc=edu
aci: (version 3.0; acl "Allow all writes by admin users and web form";
allow (all) userdn="ldap:///uid=*/admin,cn=GSSAPI,cn=auth ||
ldap:///uid=application/hostname.ee.washington.edu,cn=GSSAPI,cn=auth";)
My only SASL mapping rule is this:
dn: cn=Kerberos mapping,cn=mapping,cn=sasl,cn=config
changetype: add
objectClass: top
objectClass: nsSaslMapping
cn: Kerberos mapping
nsSaslMapRegexString: uid=([^/]*),cn=GSSAPI,cn=auth
nsSaslMapBaseDNTemplate: uid=\1,ou=people,dc=ee,dc=washington,dc=edu
nsSaslMapFilterTemplate: objectClass=inetOrgPerson
For the application, the obvious simple "out" seems to be creating a new
entry for the application, under "people", but I don't know how the
"admin" tickets will work.
I'm guessing that I need a "default" mapping, but SASL and GSSAPI are
documented rather poorly for FDS, and it's not clear to me exactly what
I need to do here.