[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL's for SASL compat.
Hi,
I have managed to get SASL authentication working with 2.0.4 + the patch that was posted on this list. Everything is working well and I can do SASL
authentication with my rootdn (uid=rootuser + real=foo) I can also do it with LDAP users of the type "userPassword: {SASL}testuser", i can also simple do authentication using the same
"userPassword" attribute. However when trying to modify some of the testuser's attributes using SASL binding and the ACL below, I get the following error:
[root@schoenberg openldap]# /usr/local/bin/ldapmodify -Y DIGEST-MD5 -D "uid=testuser + realm=foo" -W -f /tmp/modify.ldif -U testuser
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: testuser
SASL realm: schoenberg
SASL SSF: 112
SASL installing layers
modifying entry "uid=testuser,portalId=ABC,ou=People,o=MyOrg"
ldap_modify: Insufficient access
ldif_record() = 50
here is the ACL that I'm trying to use with SASL binding:
access to dn="uid=([^,]+),portalId=ABC,ou=People,o=MyOrg"
by self write
by dn="uid=$1 \+ realm=foo" write
by anonymous auth
by * read
the follwing is the ACL that I use for simple binding. The ldapmopdify command works using simple binding with the same ldif file:
access to *
by self write
by anonymous auth
by dn="uid=rootuser + realm=foo" write
by * read
here is the ldif entry that I am trying to execute:
dn: uid=testuser,portalId=ABC,ou=People,o=MyOrg
changetype: modify
replace: telephonenumber
telephonenumber: 123-4567
Any suggestions? Thanks in advance.
Cheers,
PS: thank you for SASL in LDAP 2.0, it rocks.
--
Marc Heckmann - Network Operations
HBE Software/Opendesk.Com
heckmann@hbesoftware.com www.hbesoftware.com
heckmann@opendesk.com www.opendesk.com
Tel. (514) 876-7881 ext. 219
Fax. (514) 876-9223