From 3f0905a5292ad9a9128f0087cf7f4ad06b128fe8 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Thu, 18 Jan 2001 08:55:30 +0000 Subject: [PATCH] Fix up GSSAPI --- doc/guide/admin/sasl.sdf | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/doc/guide/admin/sasl.sdf b/doc/guide/admin/sasl.sdf index fa3caf8944..bffd4f2cf8 100644 --- a/doc/guide/admin/sasl.sdf +++ b/doc/guide/admin/sasl.sdf @@ -122,12 +122,21 @@ use of the GSSAPI mechanism by specifying {{EX:-Y GSSAPI}} as a command option. For the purposes of authentication and authorization, {{slapd}}(8) -associated the non-mapped authentication DN of +associates a non-mapped authentication DN of the form: -> uid=user@REALM,cn=GSSAPI,cn=authzid +> uid=principal,cn=GSSAPI,cn=authzid -for the GSSAPI principal "user@REALM". The may be subsequently -mapped as detailed below. +If the user principal is within the same realm, the realm is +trimmed from the principal. Continuting our example, a user +with the Kerberos principal {{EX:kurt@EXAMPLE.COM}} would have +the associated DN: + +> uid=kurt,cn=GSSAPI,cn=authzid + +and the principal {{EX:ursula@@FORIEGN.REALM}} would have the +associated DN: + +> uid=ursula@FOREIGN-REALM,cn=GSSAPI,cn=authzid H3: KERBEROS_V4 -- 2.39.5