[Date Prev][Date Next] [Chronological] [Thread] [Top]

Another ACL question ...

To: openldap-software@OpenLDAP.org
Subject: Another ACL question ...
From: Anthony Brock <abrock@georgefox.edu>
Date: Wed, 06 Feb 2002 08:21:36 -0800
In-reply-to: <fc.f2163a07f2163a07073a16f23b9aca00.1032452@mail.georgefox .edu>

After experimenting with the ACLs a little more, I have another question. Previously, we had entries such as:

access to attrs=userPassword by self read by group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write by * auth

Now, we need to change these to enable the SASL identity be used. From the mailing list archives, I have composed:

access to dn="^([^,])+,dc=georgefox,dc=edu" attrs=userPassword by dn="$1" read by group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write by * auth

Currently, we store the DN of ldap entries in the "uniquemember" attribute. Do I need to change this? How can I adjust the previous ACLs to map the SASL DN (which in my case does not contain a ???realm??? ) to the DN stored in the LDAP directory? Once there, how do I pull that person from the "uniquemember" attribute?

Again, thank you for the great help so far!

Tony

At 06:08 PM 02/05/2002 -0800, you wrote:

If I am using SASL with Kerberos, and I need to map the SASL identity
(Kerberos identity in this case) to a specific attribute in the object,
how
can I directly reference the supplied SASL identity inside a filter or
regexp? I am thinking it must be something like:

access to dn="(.*,)?dc=georgefox,dc=edu"
         by filter="(&(uid=$ID)(idnum=$1))" write
         by * read

assuming that $ID would be replaced with the supplied identity. Thanks in
advance!

Tony

******************************************************************************
* Anthony Brock
abrock@georgefox.edu *
* Director of Network Services                         George Fox
University *
******************************************************************************


******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

Prev by Date: Bug in nss_ldap group handling
Next by Date: Re: pam_ldap exop/ldappasswd and salted hashes fail
Index(es):
- Chronological
- Thread