[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cyrus SASL w/GSSAPI



Title: Cyrus SASL w/GSSAPI
I'm just learning this stuff as well, so please bear with me, but I think you need to have an access control line in there so that authentication can happen against those entries.
Right now you are restricted all access to everyone unless they are authenticated.  But they can't authenticate because anonymous can't read.
Try adding a line like
    by anonymous auth
in your ACLs.
 
And please let me know if that's right, i'm just learning.
-----Original Message-----
From: Brent Dunlock [mailto:Brent.Dunlock@asu.edu]
Sent: Friday, January 12, 2001 4:20 PM
To: openldap-software@OpenLDAP.org
Subject: Cyrus SASL w/GSSAPI

I have 2.0.7 running with Cyrus SASL w/GSSAPI on Solaris 7 and it works great as long as the user kinit's with Kerberos first.  It looks like this:

# ldapmodify -I -f ./modify.ldif
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: sysgod
SASL username: sysgod
SASL SSF: 56
SASL installing layers
modifying entry "uid=sysgod,ou=People,dc=asu,dc=edu"

But now I don't know what client the users might have - they may not have the nice client that OpenLdap provides, so we need to also authenticate via simple and hop for the same result... but it seems to ignore the "userPassword: {SASL}usename" entry:

# ldapsearch  -W -x -D "uid=sysgod,ou=People,dc=asu,dc=edu" -f ./modify.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials

As I understand it this should look at the userPassword entry for uid=sysgod and authenticate as such.  That user is valid in our KDC, so I'm not sure what's happening here.  My ACL's look like this:

# Access for SASL authenticated users
access to dn="uid=([^,]+),ou=People,dc=asu,dc=edu"
        by dn="uid=$1\@ASU\.EDU" write
        by dn="uid=$1" write
        by * read

# Access for simple authenticated users
access to *
        by self write
        by dn="cn=Manager,dc=asu,dc=edu" write
        by * read

Do I need to have one big butt-ugly access statment to handle both situations?  Or, am I missing something else?