[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SASL / DIGEST-MD5

To: "'Quanah Gibson-Mount'" <quanah@stanford.edu>, "'Francois Beretti'" <francois.beretti@enatel.com>
Subject: RE: SASL / DIGEST-MD5
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 14 Mar 2003 12:14:19 -0800
Cc: "'Liste OpenLDAP Software'" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <55951604.1047629863@cadabra.stanford.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

> > I have to add "by anonymous search" in the third ACL to get
> it working
> > And after that I can comment the first ACL without effect
>
> Yup.  If you want, and can figure out exactly what it
> information it is
> wanting to look at, you can restrict this even more.  For us,
> any incoming
> connection needs access to the krb5PrincipalName attribute
> (since we are
> doing GSSAPI authentication for our applications), so I have the line:
>
> access to attr=krb5PrincipalName,member
>         by * search

As advance notice - the requirement for "Search" access in evaluating SASL
authentication was unintended. In 2.1.16 only "Auth" access will be needed
for SASL support.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- slapcat error
  - From: "Sundaram Ramasamy" <sun@percipia.com>

References:
- Re: SASL / DIGEST-MD5
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: AW: what if slapd hangs???
Next by Date: slapcat error
Index(es):
- Chronological
- Thread