Hi folks,

Busy again with the configuration of my OpenLDAP 2.4.11 test system, which includes Kerberos, SASL and GSSAPI, I now not only have replication working with Kerberos authentication and encryption), but also SASL proxy authorization, which makes chaining possible (chasing referrals on behalf of clients).

For proxy authorization to work, I first had to create an LDAP object to represent the DN that the consumer server was authenticating with -- after the name of its Kerberos principal. Here it is in GSSAPI-format:

uid=ldap/ldapks2.example.com,cn=gssapi,cn=auth

Not wanting to use the person objectClass for this purpose, I used this instead:

dn: cn=ldap/ldapks2.example.com,ou=consumers,dc=example,dc=com cn: ldap/ldapks2.example.com objectClass: simpleSecurityObject objectClass: organizationalRole description: LDAP server2 replicator saslAuthzTo: dn.regex:^uid=[^,]*,ou=users,dc=example,dc=com$ userPassword: {CRYPT}*

Does this look like the best solution? It does force me to include a userPassword attribute, for which I use an invalid hash, but otherwise there are no other unnecessary attributes. Still, I wonder if I could do better.

Any opinions?

Thanks,

Jaap