[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SASL Authentication, DNs and supported SASLMechanisms
Hi,
Just added your rule to slapd.conf:
access to dn=""
by * read
but then slapd wont start:
... missing "=" in (or value after) "dn" in to clause
?
Stéphane
-----Original Message-----
From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
Sent: Freitag, 31. August 2001 03:19
To: Nels Lindquist
Cc: openldap-software@OpenLDAP.org
Subject: Re: SASL Authentication, DNs and supported SASLMechanisms
At 04:39 PM 2001-08-30, Nels Lindquist wrote:
>o When authenticating using SASL, it seems that you're always given an
authorization DN of the form "uid=username + realm=REALM",
Yes.
>which is all well and good for searching/viewing entries visible to all
>authenticated users, but right now a SASL authorized user will never see an
entry which the ACL system
>calls "self."
Correct.
>Is there any way to associate an entry of the above form with a DN of the
SASL authorized
>"uid=username + realm = REALM" form?
regex's...
access to dn="(uid=.*),dc=example,dc=com"
by dn="uid=$1 + realm=REALM" write
>o Once ACLs are actually applied to the server, then SASL aware
applications no longer work without
>specifying an authentication method on the command line (ie, if I use -Y
[SASL mech] then it still
>works).
Add an ACLs allowing the root dse to be read...
access to dn=""
by * read
>It appears that applications such as ldapsearch are attempting to query the
server to see which
>mechanisms are supported, but the query is denied. (Output from slapd -d
386):
>
>----
>daemon: conn=1 fd=10 connection from IP=206.75.202.1:3754
(IP=0.0.0.0:34049) accepted.
>ldap_read: want=1, got=1
> 0000: 30 0
>ldap_read: want=1, got=1
> 0000: 3e >
>ldap_read: want=62, got=62
> 0000: 02 01 01 63 39 04 00 0a 01 00 0a 01 00 02 01 00
...c9...........
> 0010: 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 63 6c
........objectcl
> 0020: 61 73 73 30 19 04 17 73 75 70 70 6f 72 74 65 64
ass0...supported
> 0030: 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 SASLMechanisms
>ldap_read: want=1 error=Resource temporarily unavailable
>conn=1 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
>=> access_allowed: read access to "" "entry" requested
>=> acl_get: [1] check attr entry
>=> acl_get: [2] check attr entry
><= acl_get: [2] acl attr: entry
>=> acl_mask: access to entry "", attr "entry" requested
>=> acl_mask: to all values by "", (=n)
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth (=x) (stop)
><= acl_mask: [2] mask: auth (=x)
>=> access_allowed: read access denied by auth (=x)
>acl: access to entry not allowed
>ber_flush: 14 bytes to sd 10
> 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........
>ldap_write: want=14, written=14
> 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........
>conn=1 op=0 RESULT tag=101 err=0 text=
>ldap_read: want=1, got=0
>
>conn=-1 fd=10 closed
>----
>My ACLs look like this:
>
>access to attr=userPassword
> by self write
> by anonymous auth
> by dn="cn=Manager,dc=maei,dc=ca" write
> by dn="cn=Manager,o=Morningstar Air Express Inc.,c=CA" write
> by * none
>
>access to *
> by self write
> by anonymous auth
> by dn="cn=Manager,dc=maei,dc=ca" write
> by dn="cn=Manager,o=Morningstar Air Express Inc.,c=CA" write
> by * read
>
>I tried adding an ACL of the form "access to supported SASLMechanisms by
anonymous read", but it didn't
>help.
>
>Any ideas?
>----
>Nels Lindquist <*>
>Information Systems Manager
>Morningstar Air Express Inc.