Red Hat Directory Server 8.0 Administrator's Guide
dn: cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
cn: sasl
SASL identity mapping entries are children of this entry:
dn: cn=mapping,cn=sasl,cn=config
objectClass: top
objectClass: nsContainer
cn: mapping
Mapping entries contain three attributes, nsSaslMapRegexString, nsSaslMapBaseDNTemplate,
and nsSaslMapFilterTemplate. The nsSaslMapping object class sets these identity mapping
parameters.
The nsSaslMapRegexString attribute sets variables of the form \1, \2, \3, as in the example,
for bind IDs which are filled into the template attributes during a search. For example, this sets
up nsSaslMapping:
dn: cn=mymap,cn=mapping,cn=sasl,cn=config
objectclass:top
objectclass:nsSaslMapping
cn: mymap
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
nsSaslFilterTemplate: (objectclass=inetOrgPerson)
nsSaslBaseDNTemplate: uid=\1,ou=people,dc=\2,dc=\3
When a Directory Server receives a SASL bind request with mconnors@EXAMPLE.COM as the
user ID (authid), the regular expression would fill in the base DN template with
uid=mconnors,ou=people,dc=EXAMPLE,dc=COM as the user ID, and authentication would
proceed from there.
NOTE
The dc values are not case sensitive, so dc=EXAMPLE and dc=example are
equivalent.
The Directory Server can also use a broader mapping scheme, such as the following:
objectclass: top
objectclass: nsSaslMapping
cn: mymap2
nsSaslMapRegexString: \(.*\)
nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
nsSaslMapFilterTemplate: (cn=\1)
SASL Identity Mapping
423