[Date Prev][Date Next] [Chronological] [Thread] [Top]

Cyrus SASL w/GSSAPI



Title: Cyrus SASL w/GSSAPI

I have 2.0.7 running with Cyrus SASL w/GSSAPI on Solaris 7 and it works great as long as the user kinit's with Kerberos first.  It looks like this:

# ldapmodify -I -f ./modify.ldif
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: sysgod
SASL username: sysgod
SASL SSF: 56
SASL installing layers
modifying entry "uid=sysgod,ou=People,dc=asu,dc=edu"

But now I don't know what client the users might have - they may not have the nice client that OpenLdap provides, so we need to also authenticate via simple and hop for the same result... but it seems to ignore the "userPassword: {SASL}usename" entry:

# ldapsearch  -W -x -D "uid=sysgod,ou=People,dc=asu,dc=edu" -f ./modify.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials

As I understand it this should look at the userPassword entry for uid=sysgod and authenticate as such.  That user is valid in our KDC, so I'm not sure what's happening here.  My ACL's look like this:

# Access for SASL authenticated users
access to dn="uid=([^,]+),ou=People,dc=asu,dc=edu"
        by dn="uid=$1\@ASU\.EDU" write
        by dn="uid=$1" write
        by * read

# Access for simple authenticated users
access to *
        by self write
        by dn="cn=Manager,dc=asu,dc=edu" write
        by * read

Do I need to have one big butt-ugly access statment to handle both situations?  Or, am I missing something else?