[Date Prev][Date Next] [Chronological] [Thread] [Top]

Another ACL question ...



After experimenting with the ACLs a little more, I have another question. Previously, we had entries such as:

access to attrs=userPassword
by self read
by group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write
by * auth


Now, we need to change these to enable the SASL identity be used. From the mailing list archives, I have composed:

access to dn="^([^,])+,dc=georgefox,dc=edu" attrs=userPassword
by dn="$1" read
by group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write
by * auth


Currently, we store the DN of ldap entries in the "uniquemember" attribute. Do I need to change this? How can I adjust the previous ACLs to map the SASL DN (which in my case does not contain a ???realm??? ) to the DN stored in the LDAP directory? Once there, how do I pull that person from the "uniquemember" attribute?

Again, thank you for the great help so far!

Tony

At 06:08 PM 02/05/2002 -0800, you wrote:
If I am using SASL with Kerberos, and I need to map the SASL identity
(Kerberos identity in this case) to a specific attribute in the object,
how
can I directly reference the supplied SASL identity inside a filter or
regexp? I am thinking it must be something like:

access to dn="(.*,)?dc=georgefox,dc=edu"
         by filter="(&(uid=$ID)(idnum=$1))" write
         by * read

assuming that $ID would be replaced with the supplied identity. Thanks in
advance!

Tony

******************************************************************************
* Anthony Brock
abrock@georgefox.edu *
* Director of Network Services                         George Fox
University *
******************************************************************************

****************************************************************************** * Anthony Brock abrock@georgefox.edu * * Director of Network Services George Fox University * ******************************************************************************