Sasl Identity Mapping - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

SASL Identity Mapping

When processing a SASL bind request, the server matches, or maps, the SASL user
ID used to authenticate to the Directory Server with an LDAP entry stored within
the server.
If the user ID clearly corresponds to the LDAP entry for a person, it is possible to
configure the Directory Server to map the authentication DN automatically to the
entry DN. Every branch in the directory tree has a default map, and customized
maps can be created. During a bind attempt, a randomly selected custom map is
applied. If only one user identity is returned, the bind is successful; if none or more
than one are returned, then the next custom map is tried, and so on, until the
default is tried. If no map works, then the bind fails.
NOTE SASL proxy authorization is not supported in Directory Server;
therefore, the server will ignore any SASL
client.
SASL is configured by entries under a container entry:
dn: cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
cn: sasl
SASL identity mapping entries are children of second container entry:
dn: cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
cn: mapping
Mapping entries contain three attributes,
nsSaslMapBaseDNTemplate
object class sets these identity mapping parameters. The
attribute sets variables of the form
the template attributes during a search. For example, assume the
set up as follows:
nsSaslMapRegexString
, and
nsSaslMapFilterTemplate
, , , etc., for bind IDs which are filled into
\1 \2 \3
Introduction to SASL
supplied by the
authzid
,
. The
nsSaslMapping
nsSaslMapRegexString
nsSaslMapping
Chapter 11 Managing SSL and SASL
is
441