Map SASL principals to DNs for ACI validation
---------------------------------------------
Key: DIRSERVER-1453
URL: https://issues.apache.org/jira/browse/DIRSERVER-1453
Project: Directory ApacheDS
Issue Type: New Feature
Reporter: Aaron J Angel
SASL authentication is not useful when using access control entries for
authorization. Access control is based on a user's DN, but SASL
principals/userIDs do not appear to be automatically mapped to the appropriate
user's DN. For example, if I authentication using GSSAPI as the user
'aKrbUser', whose credentials are stored in entry
uid=aKrbUser,dc=example,dc=com, the user should be authenticated to the
directory and mapped to uid=aKrbUser,dc=example,dc=com for access control
validation.
See OpenLDAP's sasl-regexp parameter in slapd.conf for reference. Example:
sasl-regexp cn=(.*),cn=example.com,cn=gssapi,cn=auth
ldap:///dc=example,dc=com??sub?(uid=$1)
In OpenLDAP, the above line would search the directory context
dc=example,dc=com for an entry where the uid attribute value matches the GSSAPI
user ID and assign assign the entry's DN as the binddn.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
