For More Information - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

To understand how this works, you need to know that when SASL authenticates a user,
OpenLDAP forms a distinguished name from the name given to it by SASL (such as
joe) and the name of the SASL flavor (GSSAPI). The result would be
uid=joe,cn=GSSAPI,cn=auth.
If a authz-regexp has been configured, it checks the DN formed from the SASL
information using the first argument as a regular expression. If this regular expression
matches, the name is replaced with the second argument of the authz-regexp
statement. The placeholder $1 is replaced with the substring matched by the (.*)
expression.
More complicated match expressions are possible. If you have a more complicated di-
rectory structure or a schema in which the username is not part of the DN, you can even
use search expressions to map the SASL DN to the user DN.

6.5 For More Information

The official site of the MIT Kerberos is http://web.mit.edu/kerberos. There,
find links to any other relevant resource concerning Kerberos, including Kerberos in-
stallation, user, and administration guides.
ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix
The paper at
.PS
gives quite an extensive insight to the basic principles of Kerberos without being
too difficult to read. It also provides a lot of opportunities for further investigation and
reading about Kerberos.
http://www.nrl.navy.mil/CCS/
The official Kerberos FAQ is available at
people/kenh/kerberos-faq.html. The book Kerberos—A Network Authenti-
cation System by Brian Tung (ISBN 0-201-37924-4) offers extensive information.
108 Security Guide