From: Howard Chu <hyc@openldap.org>
Date: Wed, 26 Feb 2003 17:14:06 +0000 (+0000)
Subject: Updated example for OpenLDAP 2.1.13 SASL/EXTERNAL on ldapi://
X-Git-Tag: NO_SLAP_OP_BLOCKS~275
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=dd3157bbe9f23d984fe32b2d8c36baae3cb73e61;p=openldap

Updated example for OpenLDAP 2.1.13 SASL/EXTERNAL on ldapi://
---

diff --git a/contrib/ldapsasl/README b/contrib/ldapsasl/README
index 36c3f6b990..db8d31e117 100644
--- a/contrib/ldapsasl/README
+++ b/contrib/ldapsasl/README
@@ -48,3 +48,19 @@ better for a real production environment. Please send feedback via the
 openldap-software mailing list for now.
 
   -- Howard Chu, 2002-07-12
+
+Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
+This is fast and secure, and needs no username or password to be stored.
+The SASL config file is just
+
+ldapdb_uri: ldapi://
+ldapdb_mech: EXTERNAL
+
+The slapd.conf will need to map these usernames to LDAP DNs:
+
+sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
+	ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
+
+sasl-regexp uid=(.*),cn=external,cn=auth
+	ldap:///dc=example,dc=com??sub?(uid=$1)
+