HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

491

492

493

494

495

496

497

498

499

500

13.1.1 About SASL identity mapping

When processing a SASL bind request, the server matches, or maps, the SASL authentication ID

used to authenticate to the Directory Server with an LDAP entry stored within the server. When

using Kerberos, the SASL user ID usually has the format userid@REALM, such as

scarter@EXAMPLE.COM. This ID must be converted into the DN of the user's Directory Server

entry, such as uid=scarter,ou=people,dc=example,dc=com.

If the authentication ID clearly corresponds to the LDAP entry for a person, it is possible to configure

the Directory Server to map the authentication ID automatically to the entry DN. Directory Server

has some preconfigured default maps that handle most common configurations, and customized

maps can be created. During a bind attempt, the first matching mapping rule is applied. If only

one user identity is returned, the bind is successful; if none or more than one are returned, then

the bind fails.

Be sure to configure SASL maps so that only one mapping rule matches the authentication string.

SASL mappings are configured by entries under a container entry:

dn: cn=sasl,cn=config

objectClass: top

objectClass: nsContainer

cn: sasl

SASL identity mapping entries are children of this entry:

dn: cn=mapping,cn=sasl,cn=config

objectClass: top

objectClass: nsContainer

cn: mapping

Mapping entries are defined by three attributes:

• nsSaslMapRegexString, the regular expression that is used to map the elements of the

supplied authid

• nsSaslMapFilterTemplate, a template that applies the elements of the

nsSaslMapRegexString to create the DN

• nsSaslMapBaseDNTemplate, which provides the search base or a specific entry DN to

match against the constructed DN

For example:

dn: cn=mymap,cn=mapping,cn=sasl,cn=config

objectclass:top

objectclass:nsSaslMapping

cn: mymap

nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)

nsSaslFilterTemplate: (objectclass=inetOrgPerson)

nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3

The nsSaslMapRegexString attribute sets variables of the form \1, \2, \3 for bind IDs that

are filled into the template attributes during a search. This example sets up a SASL identity mapping

for any user in the ou=People, dc=example,dc=com subtree who belongs to the

inetOrgPerson object class.

When a Directory Server receives a SASL bind request with mconnors@EXAMPLE.COM as the

user ID (authid), the regular expression fills in the base DN template with

uid=mconnors,ou=people,dc=EXAMPLE,dc=COM as the user ID, and authentication proceeds

from there.

NOTE:

The dc values are not case sensitive, so dc=EXAMPLE and dc=example are equivalent.

The Directory Server can also use a more inclusive mapping scheme, such as the following:

500 Managing SASL