Thanks that clears that up. One related question, however, the KRB5_KTNAME
var would be set where?
With OpenLdap I could set this in /etc/sysconfig/ldap. Also, are there init
scripts anywhere for starting the
server?
On 6/24/05, Noriko Hosoi <nhosoi(a)redhat.com> wrote:
Alastair Neil wrote:
I would like to configure the DS to use sasl and gssapi to authenticate
against a local kerberos realm.
I have been looking at the administrators guide and I'm a little confused.
To enable SASL does one simply setup at least one mapping?
An appropriate SASL mapping for gssapi combined with a ldap service
principle plus saslauthd and the
cyrus-sasl-gssapi package should be all I need, correct?
Yes, I believe so... Also, I think your Directory Server should know where
the keytab is (if not in the default place)...
export KRB5_KTNAME=*path_to_service_keytab*; start-slapd
If someone could provide a gssapi sasl mapping example I would be
grateful, I think I want to
map posix uid's to *uid*(a)REALM.EDU <uid(a)REALM.EDU>.
Let's assume your entry in the DS has the DN "dn:
uid=*uid*,o=realm.edu<http://realm.edu>".
Then, the map would be something like this (as seen in "Introduction to
SASL" in the Administrator's Guide):
dn: cn=*mapname,*cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: *mapname*
nsSaslMapRegexString: (.*)(a)(.*)
nsSaslMapBaseDNTemplate: uid=\1,o=\2
nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
Thanks,
--noriko