diff options
| author | Rich Megginson <rmeggins@redhat.com> | 2008-11-05 18:21:06 +0000 |
|---|---|---|
| committer | Rich Megginson <rmeggins@redhat.com> | 2008-11-05 18:21:06 +0000 |
| commit | 16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2 (patch) | |
| tree | e039e7e872d256c18ba0deeb745f32712612b049 /ldap/ldif | |
| parent | 7e35a10850563a5cd61289b4330279b69b087128 (diff) | |
| download | ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.tar.gz ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.tar.xz ds-16c994ace5d2eb635bf3847b5fe4c96c46fdd8a2.zip | |
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Diffstat (limited to 'ldap/ldif')
| -rw-r--r-- | ldap/ldif/template-dse.ldif.in | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in index 1767cfbe..98aa21af 100644 --- a/ldap/ldif/template-dse.ldif.in +++ b/ldap/ldif/template-dse.ldif.in @@ -752,6 +752,9 @@ nsTransmittedControls: 1.2.840.113556.1.4.473 nsTransmittedControls: 1.3.6.1.4.1.1466.29539.12 nsPossibleChainingComponents: cn=resource limits,cn=components,cn=config nsPossibleChainingComponents: cn=certificate-based authentication,cn=components,cn=config +nsPossibleChainingComponents: cn=password policy,cn=components,cn=config +nsPossibleChainingComponents: cn=sasl,cn=components,cn=config +nsPossibleChainingComponents: cn=roles,cn=components,cn=config nsPossibleChainingComponents: cn=ACL Plugin,cn=plugins,cn=config nsPossibleChainingComponents: cn=old plugin,cn=plugins,cn=config nsPossibleChainingComponents: cn=referential integrity postoperation,cn=plugins,cn=config |