9.9. Setting up SASL Identity Mapping
9.9.1. About SASL Identity Mapping
scarter@EXAMPLE.COM
. This ID must be converted into the DN of the user's Directory Server entry, such as uid=scarter,ou=people,dc=example,dc=com
.
dn: cn=sasl,cn=config objectClass: top objectClass: nsContainer cn: sasl
dn: cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsContainer cn: mapping
nsSaslMapRegexString
: The regular expression which is used to map the elements of the suppliedauthid
.nsSaslMapFilterTemplate
: A template which applies the elements of thensSaslMapRegexString
to create the DN.nsSaslMapBaseDNTemplate
: Provides the search base or a specific entry DN to match against the constructed DN.- Optional:
nsSaslMapPriority
: Sets the priority of this SASL mapping. The priority value is used, ifnsslapd-sasl-mapping-fallback
is enabled incn=config
. For details, see Section 9.9.4.1, “Setting SASL Mapping Priorities”.
dn: cn=mymap,cn=mapping,cn=sasl,cn=config objectclass:top objectclass:nsSaslMapping cn: mymap nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) nsSaslMapFilterTemplate: (objectclass=inetOrgPerson) nsSaslMapBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3
nsSaslMapRegexString
attribute sets variables of the form \1
, \2
, \3
for bind IDs which are filled into the template attributes during a search. This example sets up a SASL identity mapping for any user in the ou=People,dc=example,dc=com
subtree who belongs to the inetOrgPerson
object class.
mconnors@EXAMPLE.COM
as the user ID (authid
), the regular expression fills in the base DN template with uid=mconnors,ou=people,dc=EXAMPLE,dc=COM
as the user ID, and authentication proceeds from there.
Note
dc
values are not case sensitive, so dc=EXAMPLE
and dc=example
are equivalent.
dn: cn=example map,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: example map nsSaslMapRegexString: \(.*\) nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com nsSaslMapFilterTemplate: (cn=\1)
ou=People,dc=example,dc=com
subtree which meets the filter cn=
userId.
nsSaslMapRegexString
attribute. For example:
dn: cn=example map,cn=mapping,cn=sasl,cn=config
objectclass: top
objectclass: nsSaslMapping
cn: example map
nsSaslMapRegexString: \(.*\)@US.EXAMPLE.COM
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=\1)
US.EXAMPLE.COM
realm. (Realms are described in Section 9.10.2.1, “About Principals and Realms”.)
ldap1.example.com
server to the cn=replication manager,cn=config
entry. The mapping entry itself is created on the second server, such as ldap2.example.com
.
dn: cn=z,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: z nsSaslMapRegexString: ldap/ldap1.example.com@EXAMPLE.COM nsSaslMapBaseDNTemplate: cn=replication manager,cn=config nsSaslMapFilterTemplate: (objectclass=*)
dn: cn=y,cn=mapping,cn=sasl,cn=config objectclass: top objectclass: nsSaslMapping cn: y nsSaslMapRegexString: ldap/ldap1.example.com nsSaslMapBaseDNTemplate: cn=replication manager,cn=config nsSaslMapFilterTemplate: (objectclass=*)
nsSaslMapPriority
parameter, there is no way to specify the order that mappings are processed. However, there is a way to control how SASL mappings are processed: the name. The Directory Server processes SASL mappings in reverse ASCII order. In the past two example, then the cn=z
mapping (the first example) is processed first. If there is no match, the server processes the cn=y
mapping (the second example).
Note
ConfigFile
directive. Using silent installation is described in the Installation Guide.
9.9.2. Default SASL Mappings for Directory Server
This matches a Kerberos principal using a two part realm, such as user@example.com
. The realm is then used to define the search base, and the user ID (authid
) defines the filter. The search base is dc=example,dc=com
and the filter of (uid=user)
.
dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Kerberos uid mapping nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\) nsSaslMapBaseDNTemplate: dc=\2,dc=\3 nsSaslMapFilterTemplate: (uid=\1)
This mapping matches an authid
that is a valid DN (defined in RFC 2829) prefixed by dn:
. The authid
maps directly to the specified DN.
dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 dn syntax nsSaslMapRegexString: ^dn:\(.*\) nsSaslMapBaseDNTemplate: \1 nsSaslMapFilterTemplate: (objectclass=*)
This mapping matches an authid
that is a UID prefixed by u:
. The value specified after the prefix defines a filter of (uid=value)
. The search base is hard-coded to be the suffix of the default userRoot
database.
dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 u syntax nsSaslMapRegexString: ^u:\(.*\) nsSaslMapBaseDNTemplate: dc=example,dc=com nsSaslMapFilterTemplate: (uid=\1)
This mapping matches an authid
that is any plain string that does not match the other default mapping rules. It use this value to define a filter of (uid=value)
. The search base is hard-coded to be the suffix of the default userRoot
database.
dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: uid mapping nsSaslMapRegexString: ^[^:@]+$ nsSaslMapBaseDNTemplate: dc=example,dc=com nsSaslMapFilterTemplate: (uid=&)
9.9.3. Configuring SASL Identity Mapping
9.9.3.1. Configuring SASL Identity Mapping from the Console
- In the Directory Server Console, open the Configuration tab.
- Select the SASL Mapping tab.
- To add a new SASL identity mapping, select thebutton, and fill in the required values.
- Name. This field sets the unique name of the SASL mapping.
- Regular expression. This field sets the regular expression used to match the DN components, such as
\(.*\)
. This field corresponds to thensSaslMapRegexString
value in the SASL mapping LDIF entry. - Search base DN. This field gives the base DN to search to map entries, such as
ou=People,dc=example,dc=com
. This field corresponds to thensSaslMapBaseDNTemplate
value in the SASL mapping LDIF entry. - Search filter. This field gives the search filter for the components to replace, such as
(objectclass=*)
. This field corresponds to thensSaslMapFilterTemplate
value in the SASL mapping LDIF entry.
9.9.3.2. Configuring SASL Identity Mapping from the Command Line
ldapmodify
utility to add the identity mapping scheme. For example:
# ldapmodify -a
-D "cn=Directory Manager" -W -p 389 -h server.example.com -x
dn: cn=example map,cn=mapping,cn=sasl,cn=config
changetype: add
objectclass: top
objectclass: nsSaslMapping
cn: example map
nsSaslMapRegexString: \(.*\)
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=\1)
ou=People,dc=example,dc=com
, based on the filter cn=
userId.
Note
ldapmodify
adds the mapping to the end of the list, regardless of its ASCII order.
9.9.4. Enabling SASL Mapping Fallback
nsslapd-sasl-mapping-fallback
parameter:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-sasl-mapping-fallback nsslapd-sasl-mapping-fallback: on
9.9.4.1. Setting SASL Mapping Priorities
nsslapd-sasl-mapping-fallback
attribute, you can optionally set the nsSaslMapPriority
attribute in mapping configurations to prioritize them. The nsSaslMapPriority
attribute supports values from 1
(highest priority) to 100
(lowest priority). The default is 100
.
cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
mapping:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config changetype: modify replace: nsSaslMapPriority nsSaslMapPriority: 1