[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's for SASL compat.
At 12:37 PM 10/4/00 -0400, Marc Heckmann wrote:
>On Wed, Oct 04, 2000 at 08:55:22AM -0700, Kurt D. Zeilenga wrote:
>> >> > Any suggestions? Thanks in advance.
>> >>
>> >>
>> >> Trim the extra white space from the DN regex... i.e.:
>> >>
>> >> by dn="uid=$1\+realm=foo" write
>> >
>> >Tried it and it does not work, same error (insufficient access)....
>> >Any other ideas or debugging switches? Is there another way to get the
>> >same effect using sasl binding?
>>
>> That is for SASL binding.
>
>yes I used SASL binding, sorry if I was not clear, it does not work. I meant are there any
>alternate way's to specify the ACL that would have the same effect. It does work with simple
>binding.
The authorization DN produced by the SASL code depends upon
configuration, mechanisms used, etc.. Look at your logs
(with TRACE enabled) and you'll see messages reporting the
authorization DN:
<== slap_sasl_bind: authzdn: "uid=kurt@OPENLDAP.ORG"
or
<== slap_sasl_bind: authzdn: "uid=kurt + realm=OPENLDAP.ORG"
Then write regex's to match the normalized (s/ \+ /+/) DN.
access to dn="(uid=[:alnum:]),dc=OpenLDAP,dc=Org"
by dn="$1(\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" write
by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
access to *
by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
(the above may contain typos or other minor errors as I only
ran this through my built in, buggy regex parser).