in my reading of the admin guide (section 15.2.5 - .7), mapping of a
"username" to a DN is a common configuration, and allows for other
functionality. i am trying to use the below Authz RegExp to do the mapping:
olcAuthzRegexp: {0}uid=([^,]+),cn=bpk2.com,cn=gssapi,cn=auth
uid=$1,ou=Users,dc=bpk2,dc=com
i am no regex guru, so i dont know if the above is appropriate. if i
compare the above to the admin guide, i notice that mine is uid=([^,]+),
whereas the docs show uid=([^,]*). the + vs. the * might be an issue. can
that be confirmed?
On Sat, Mar 16, 2013 at 2:27 PM, Dan White <[email protected]> wrote:
> In my experience, authorization is not a standardized concept, even among
> servers that support sasl, ldap, and/or kerberos authentication.
>
> In general, approaches which are most likely to bear fruit:
>
> unix group membership
> =====================
>
> Install an ldap nss module on the server, and add objectClass posixGroup to
> your group entries. Specify "member: <user_id>" for each member of the
> group. Find out if a given server (such as squid) supports such
> authorization,
> either by way of a getgrent system call (such as with openssh), or via some
> pam group module during authentication.
>
> RADIUS (freeradius ldap backend)
> ==============================**==
>
> If the server supports radius authentication, then you have flexibility in
> granting authentication based on an ldap attribute or ldap group
> membership,
> by way of it's ldap backend module.
>
> pam ldap module
> ===============
>
> If the server supports pam authentication, then use an ldap pam module
> (nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on
> an ldap attribute or ldap group membership.
>
> I'm not aware of a way to grant authorization solely by using kerberos.
>
> --
> Dan White
>
