You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2019/06/16 15:15:00 UTC
[jira] [Updated] (DIRSERVER-1453) Map SASL principals to DNs for
ACI validation
[ https://issues.apache.org/jira/browse/DIRSERVER-1453?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny updated DIRSERVER-1453:
-----------------------------------------
Component/s: authn
aci
> Map SASL principals to DNs for ACI validation
> ---------------------------------------------
>
> Key: DIRSERVER-1453
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1453
> Project: Directory ApacheDS
> Issue Type: New Feature
> Components: aci, authn
> Reporter: Aaron J Angel
> Priority: Major
> Fix For: 2.0.0-RC1
>
>
> SASL authentication is not useful when using access control entries for authorization. Access control is based on a user's DN, but SASL principals/userIDs do not appear to be automatically mapped to the appropriate user's DN. For example, if I authentication using GSSAPI as the user 'aKrbUser', whose credentials are stored in entry uid=aKrbUser,dc=example,dc=com, the user should be authenticated to the directory and mapped to uid=aKrbUser,dc=example,dc=com for access control validation.
> See OpenLDAP's sasl-regexp parameter in slapd.conf for reference. Example:
> sasl-regexp cn=(.*),cn=example.com,cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub?(uid=$1)
> In OpenLDAP, the above line would search the directory context dc=example,dc=com for an entry where the uid attribute value matches the GSSAPI user ID and assign assign the entry's DN as the binddn.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org