Re: ACLs

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:53 PM 3/14/01 +0100, Alexander Brinkman wrote:
>Here I go again :)
>
>Everything with SASL and openLDAP is working now, except for the ACLs (I
>think). I understand that there is no direct relationship between SASL users
>(in Kerberos or SASLdb) and LDAP users (uid=xxx,ou=People,dc=domain,dc=org
>for instance).

I think I said there is no direct relationship between a SASL
user and an LDAP entry.  There is a relationship between an
SASL user and a distinguished name.  While this distinguished
name is generally not associated with an entry, it can
be used for access control purposes.

>But in that case: whats the point of authentication with
>SASL?

SASL provides a framework for secure authentication and
security layers (including integrity and confidentiality
protection).

>I was pointed out that it could depend on my ACLs what users would get when
>they're connecting with SASL, but I can't find good references to this.
>
>When I do:
>access to attr=userPassword
>        by dn=".+" write
>it works (openldap knows that SASL users are authenticated), but when I do:
>access to attr=userPassword
>        by self write

A user authenticated via SASL generally doesn't have an entry
associated with it, so self write makes little sense.

As I'm sure I've noted previously, the authorization DN
associated with a particular can be discovered by looking
at the logs (when appropriate levels are enabled, e.g. ACLs).

>then it doesn't work. Is there a way to get this working?

Check the archives, I'm sure I detailed how to use SASL
based authorization DNs in ACLs.