--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
What I want for it to do is bind using the Krb5 ticket cache specified in slapd's environment, and use whatever identity gets *automatically* negotiated on the remote servers side. All this authcID and authZID stuff is really unnecessary, since the remote server handles it anyway.
What "service/mailrouter@stanford.edu" gets mapped to on the remote server IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the authz-regexp rule on the remote server.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html