On Mon, Jan 10, 2011 at 11:48:37AM -0800, Howard Chu wrote:
No problem. I propose the following to bring the docs in line with behaviour.
This looks a bit too specific, the olcSaslRealm setting affects other SASL mechanisms too.
True, although this text is under the GSSAPI subheading so I would read it as specific to the GSSAPI mechanism.
For GSSAPI it should probably just say not to specify olcSaslRealm at all since the mechanism has its own notion of realms already.
If they are using a mixture of SASL mechanisms then they might need to set olcSaslRealm for the benefit of another one.
How about this:
------------------------------------------------------------------- If you are using only GSSAPI authentication then you should not configure olcSaslRealm. If you do, then it is always inserted as an extra component in the authorization DN, regardless of the realm of the client. For example, if you set olcSaslRealm to {{EX:example.com}} then you will get:
uid=kurt,cn=example.com,cn=gssapi,cn=auth uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth -------------------------------------------------------------------