HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

501

502

503

504

505

506

507

508

509

510

dn: cn=example map,cn=mapping,cn=sasl,cn=config

objectclass: top

objectclass: nsSaslMapping

cn: example map

nsSaslMapRegexString: \(.*\)

nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com

nsSaslMapFilterTemplate: (cn=\1)

This matches any user ID and map it an entry under the ou=People,dc=example,dc=com

subtree that meets the filter cn=userId.

Mappings can be confined to a single realm by specifying the realm in the

nsSaslMapRegexString attribute. For example:

dn: cn=example map,cn=mapping,cn=sasl,cn=config

objectclass: top

objectclass: nsSaslMapping

cn: example map

nsSaslMapRegexString: \(.*\)@US.EXAMPLE.COM

nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com

nsSaslMapFilterTemplate: (cn=\1)

This mapping is identical to the previous mapping, except that it only applies to users authenticating

from the US.EXAMPLE.COM realm. (Realms are described in “About principals and realms” (page

503).)

When a server connects to another server, such as during replication or with chaining, the default

mappings for the will not properly map the identities. This is because the principal (SASL identity)

for one server does not match the principal on the server where authentication is taking place, so

it does not match the mapping entries.

To allow server to server authentication using SASL, create a mapping for the specific server

principal to a specific user entry. For example, this mapping matches the ldap1.example.com

server to the cn=replication manager,cn=config entry. The mapping entry itself is created

on the second server, such as ldap2.example.com.

dn: cn=z,cn=mapping,cn=sasl,cn=config

objectclass: top

objectclass: nsSaslMapping

cn: z

nsSaslMapRegexString: ldap/ldap1.example.com@EXAMPLE.COM

nsSaslMapBaseDNTemplate: cn=replication manager,cn=config

nsSaslMapFilterTemplate: (objectclass=*)

Sometimes, the realm name is not included in the principal name in SASL GSS-API configuration.

A second mapping can be created, which is identical to the first, only without specifying the realm

in the principal name. For example:

dn: cn=y,cn=mapping,cn=sasl,cn=config

objectclass: top

objectclass: nsSaslMapping

cn: y

nsSaslMapRegexString: ldap/ldap1.example.com

nsSaslMapBaseDNTemplate: cn=replication manager,cn=config

nsSaslMapFilterTemplate: (objectclass=*)

Because the realm is not specified, the second mapping is more general (meaning, it has the

potential to match more entries than the first. The best practice is to have more specific mappings

processed first and gradually progress through more general mappings.

There is no way to specify the order that mappings are processed. However, there is a way to

control how SASL mappings are processed: the name. The Directory Server processes SASL

mappings in reverse ASCII order. In the past two example, then the cn=z mapping (the first

example) is processed first. If there is no match, the server processes the cn=y mapping (the second

example).

13.1 Overview of SASL in Directory Server 501