Download Sun ONE Directory Server 5.2 Administration Guide

Transcript
Identity Mapping
After all place-holders have been substituted, any pattern matching that is defined
will be performed. The matching pattern will be compared to the regular
expression. If the regular expression does not match the pattern string, this
mapping fails. If it does match, the matching values of regular expression terms in
parentheses will be available as numbered place-holders for use in other attribute
values. For example, the following mapping could be defined for SASL:
dsMatching-pattern: ${Principal}
dsMatching-regexp: (.*)@(.*)\.(.*)
dsMappedDN: uid=$1,ou=people,dc=$2,dc=$3
If a client authenticates with the Principal of [email protected], this mapping
will define the bind DN uid=bjensen,ou=people,dc=example,dc=com. If this DN
exists in the directory, the mapping will succeed, the client will be authenticated,
and all operations performed during this connection will use this bind DN.
The dsMatching-pattern is compared to the dsMatching-regexp using the Posix
regexec(3C) and regcomp(3C) function calls. Directory Server uses extended
regular expressions and all comparisons are case insensitive. For more information,
please refer to the man pages for these functions.
The attributes values that may contain place-holders must encode any $, {, and }
characters that are not part of a place-holder, even if no place-holder is used. You
must encode these characters with the following values: $ as \24, { as \7B, and
} as \7D.
Using place-holders and substitutions allows you to create mappings that extract a
username or any other value from the protocol-specific credentials and use its
value to define a mapped DN or perform a search for a corresponding DN
anywhere in the directory. You should define the mappings that extract the
expected credentials provided by your directory clients and map them to your
specific directory structure.
CAUTION
Creating a poorly defined mapping is a security hole. For example, a
mapping to a hard-coded DN without pattern matching will always
succeed, thereby authenticating clients who might not be directory
users.
It is safer to define several mappings to handle different client
credential formats than to create a single, overly-generic and
permissive mapping. You should always try to map client
connections to specific users according to the client credentials.
378
Sun ONE Directory Server Administration Guide • June 2003