Re: SASL / DIGEST-MD5

[Francois Beretti <francois.beretti@enatel.com>]

Hi Quanah,

Le ven 14/03/2003 à 15:22, Quanah Gibson-Mount a écrit :
> Francois,
> 
> When you first bind to the ldap server, it has no idea who <you> are.  So 
> what happens is that you are at first seen as an "anonymous" user in the 
> initial stages of the authentication process.  Since you are not giving 
> search access to the objectclass it needs to figure out who you are, it is 
> ending.
> 

You are right, it's an ACL problem because if I have a "access to * by *
read" it works :)

Thank you very much, but with your ACLs I still can't authenticate

> Also, your ACL's are likely incorrect in their arrangement.  If you want 
> cn=root,dc=enatel,dc=local to have write access to your entire tree, they 
> should look like:
> 
> access to dn.base=""
>         by * read
> 
I don't really understand this ACL
you grant read access on empty entry ?
Is this used to list the DNs of the directory ?

> access to *
>          by dn.base="cn=root,dc=enatel,dc=local" write
>          by * break
> 
are you sure of the line "by * break" ?
I believe that break should be used in addition to an access granted
Maybe you meant "by * read break" ?

> access to dn=".*,ou=people,dc=enatel,dc=local"
>          by self write
>          by dn.base="cn=root,dc=enatel,dc=local" write
>          by * none
> 

I have to add "by anonymous search" in the third ACL to get it working
And after that I can comment the first ACL without effect

Francois

> 
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>