Legacy Identity Mapping; Configuring Sasl Identity Mapping From The Console - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Introduction to SASL
dn: cn=mymap,cn=mapping,cn=sasl,cn=config
objectclass:top
objectclass:nsSaslMapping
cn: mymap
nsSaslMapRegexString: (.*)@(.*)\.(.*)
nsSaslFilterTemplate: (objectclass=inetOrgPerson)
nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3
A bind attempt with
"fill in" the base DN template with
uid=mconnors,ou=people,dc=example,dc=com
authentication would proceed from there.
You could also write a broader mapping scheme, such as the following:
objectclass: top
objectclass: nsSaslMapping
cn: mymap2
nsSaslMapRegexString: .*
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=&)
This will match any user ID and map to the result of the the subtree search with
base

Legacy Identity Mapping

Older versions of Directory Server did support limited SASL mechanisms,
EXTERNAL and DIGEST-MD5. These mechanisms have simple username-based
identies, so the server implements a simple identity mapping scheme using the
to find the corresponding directory entries. A user binds with an
uid
authentication DN such as
the server searches across the entire directory contents, looking for an entry with a
corresponding
Because Kerberos has more complicated identities (see "Realms," on page 444),
Directory Server supports regular expression-based mapping schemes. In
processing a bind request, the server first tries to apply any regular expression
mapping, if configured. If no match is found, then the server tries to apply legacy
mapping.
Configuring SASL Identity Mapping from the
Console
In the Console, open the Directory Server.
1.
442 Red Hat Directory Server Administrator's Guide • May 2005
mconnors@example.com
ou=People,dc=example,dc=com
. This identity mapping is hard-coded and cannot be changed.
uid
as the regular expression would
and filter
uid=bjensen,ou=people,dc=example,dc=com
as the authentication ID, and
.
cn=userId
, and