[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cyrus SASL w/GSSAPI



At 05:05 PM 1/12/01 -0800, Jeff Costlow wrote:
>I'm just learning this stuff as well, so please bear with me, but I think you need to have an access control line in there so that authentication can happen against those entries.
>Right now you are restricted all access to everyone unless they are authenticated.  But they can't authenticate because anonymous can't read.
>Try adding a line like
>    by anonymous auth
>in your ACLs.

He said:
        by * read

* matches anonymous users as well as authenticated users.



> 
>And please let me know if that's right, i'm just learning.  
>-----Original Message----- 
>From: Brent Dunlock [mailto:Brent.Dunlock@asu.edu] 
>Sent: Friday, January 12, 2001 4:20 PM 
>To: openldap-software@OpenLDAP.org 
>Subject: Cyrus SASL w/GSSAPI
>
>I have 2.0.7 running with Cyrus SASL w/GSSAPI on Solaris 7 and it works great as long as the user kinit's with Kerberos first.  It looks like this: 
># ldapmodify -I -f ./modify.ldif  
>SASL/GSSAPI authentication started  
>SASL Interaction  
>Please enter your authorization name: sysgod  
>SASL username: sysgod  
>SASL SSF: 56  
>SASL installing layers  
>modifying entry "uid=sysgod,ou=People,dc=asu,dc=edu" 
>
>But now I don't know what client the users might have - they may not have the nice client that OpenLdap provides, so we need to also authenticate via simple and hop for the same result... but it seems to ignore the "userPassword: {SASL}usename" entry: 
># ldapsearch  -W -x -D "uid=sysgod,ou=People,dc=asu,dc=edu" -f ./modify.ldif  
>Enter LDAP Password:  
>ldap_bind: Invalid credentials 
>
>As I understand it this should look at the userPassword entry for uid=sysgod and authenticate as such.  That user is valid in our KDC, so I'm not sure what's happening here.  My ACL's look like this: 
># Access for SASL authenticated users  
>access to dn="uid=([^,]+),ou=People,dc=asu,dc=edu"  
>        by dn="uid=$1\@ASU\.EDU" write  
>        by dn="uid=$1" write  
>        by * read 
>
># Access for simple authenticated users  
>access to *  
>        by self write  
>        by dn="cn=Manager,dc=asu,dc=edu" write  
>        by * read 
>
>Do I need to have one big butt-ugly access statment to handle both situations?  Or, am I missing something else?