Re: ACL's for SASL compat.

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 12:37 PM 10/4/00 -0400, Marc Heckmann wrote:
>On Wed, Oct 04, 2000 at 08:55:22AM -0700, Kurt D. Zeilenga wrote:
>> >> >        Any suggestions? Thanks in advance.
>> >> 
>> >> 
>> >> Trim the extra white space from the DN regex...  i.e.:
>> >> 
>> >>         by dn="uid=$1\+realm=foo" write
>> >
>> >Tried it and it does not work, same error (insufficient access)....
>> >Any other ideas or debugging switches? Is there another way to get the
>> >same effect using sasl binding?
>> 
>> That is for SASL binding.
>
>yes I used SASL binding, sorry if I was not clear,  it does not work. I meant are there any
>alternate way's to specify the ACL that would have the same effect. It does work with simple
>binding. 

The authorization DN produced by the SASL code depends upon
configuration, mechanisms used, etc..   Look at your logs
(with TRACE enabled) and you'll see messages reporting the
authorization DN:
  <== slap_sasl_bind: authzdn: "uid=kurt@OPENLDAP.ORG"
or
  <== slap_sasl_bind: authzdn: "uid=kurt + realm=OPENLDAP.ORG"

Then write regex's to match the normalized (s/ \+ /+/) DN.
  access to dn="(uid=[:alnum:]),dc=OpenLDAP,dc=Org"
    by dn="$1(\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" write
    by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
  access to *
    by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read

(the above may contain typos or other minor errors as I only
ran this through my built in, buggy regex parser).