Alastair Neil wrote: > > I would like to configure the DS to use sasl and gssapi to > authenticate against a local kerberos realm. > I have been looking at the administrators guide and I'm a little > confused. > To enable SASL does one simply setup at least one mapping? > An appropriate SASL mapping for gssapi combined with a ldap service > principle plus saslauthd and the > cyrus-sasl-gssapi package should be all I need, correct? Yes, I believe so... Also, I think your Directory Server should know where the keytab is (if not in the default place)... export KRB5_KTNAME=path_to_service_keytab; start-slapd > If someone could provide a gssapi sasl mapping example I would be > grateful, I think I want to > map posix uid's to uid(a)REALM.EDU <mailto:uid@REALM.EDU>. Let's assume your entry in the DS has the DN "dn: uid=uid,o=realm.edu". Then, the map would be something like this (as seen in "Introduction to SASL" in the Administrator's Guide): dn: cn=mapname,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: mapname nsSaslMapRegexString: (.*)(a)(.*) nsSaslMapBaseDNTemplate: uid=\1,o=\2 nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) Thanks, --noriko ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users(a)redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

Thanks that clears that up. One related question, however, the KRB5_KTNAME var would be set where? With OpenLdap I could set this in /etc/sysconfig/ldap. Also, are there init scripts anywhere for starting the server?