[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs
At 03:53 PM 3/14/01 +0100, Alexander Brinkman wrote:
>Here I go again :)
>
>Everything with SASL and openLDAP is working now, except for the ACLs (I
>think). I understand that there is no direct relationship between SASL users
>(in Kerberos or SASLdb) and LDAP users (uid=xxx,ou=People,dc=domain,dc=org
>for instance).
I think I said there is no direct relationship between a SASL
user and an LDAP entry. There is a relationship between an
SASL user and a distinguished name. While this distinguished
name is generally not associated with an entry, it can
be used for access control purposes.
>But in that case: whats the point of authentication with
>SASL?
SASL provides a framework for secure authentication and
security layers (including integrity and confidentiality
protection).
>I was pointed out that it could depend on my ACLs what users would get when
>they're connecting with SASL, but I can't find good references to this.
>
>When I do:
>access to attr=userPassword
> by dn=".+" write
>it works (openldap knows that SASL users are authenticated), but when I do:
>access to attr=userPassword
> by self write
A user authenticated via SASL generally doesn't have an entry
associated with it, so self write makes little sense.
As I'm sure I've noted previously, the authorization DN
associated with a particular can be discovered by looking
at the logs (when appropriate levels are enabled, e.g. ACLs).
>then it doesn't work. Is there a way to get this working?
Check the archives, I'm sure I detailed how to use SASL
based authorization DNs in ACLs.
- Follow-Ups:
- RE: ACLs
- From: a.brinkman@avades.nl (Alexander Brinkman)
- References:
- ACLs
- From: a.brinkman@avades.nl (Alexander Brinkman)