[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL 'domain='
>>>>> "Turbo" == Turbo Fredriksson <turbo@bayour.com> writes:
Turbo> I'm setting up a 2.1.21 server at home, so I can test the
Turbo> new server types...
Is there any document or HOWTO somewhere that describes the DIFFERENCES
between 2.0 and 2.1 (especially on ACL's)?
It seems like I got MORE problems than this...
To be able to use 'sasl-regexp', I need anonymous read to the krb5PrincipalName,
but I can't seem to get that working...
----- s n i p -----
sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
"ldap://localhost/o=Turbo Fredriksson??sub?krb5PrincipalName=$1@BAYOUR.COM"
[...]
# We need to do SASL auth, so the Root DSE must be readable to anyone
access to dn="" attr=supportedSASLMechanisms,objectClass,entry
by domain=.*\.bayour\.com read
by domain=localhost read
#
access to attr=uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,krb5PrincipalName,entry
by domain=.*\.bayour\.com read
by domain=localhost read
by aci write
----- s n i p -----
As I'm used to from 2.0 this would work. But not in 2.1. No
anonymous read to krb5PrincipalName. If I use the following
ACL, it works if I do a SASL bind (but not anonymous):
----- s n i p -----
access to dn="" attr=supportedSASLMechanisms,objectClass,uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,krb5PrincipalName,entry
by domain=.*\.bayour\.com read
by domain=localhost read
by aci write
----- s n i p -----
This is what I get with this ACL entry:
----- s n i p -----
[tuzjfi.tty2]$ ldapsearch -x -LLL -h localhost -b 'o=turbo fredriksson' krb5PrincipalName=turbo@BAYOUR.COM krb5PrincipalName
[tuzjfi.tty2]$ ldapsearch -LLL -h localhost -b 'o=turbo fredriksson' krb5PrincipalName=turbo@BAYOUR.COM krb5PrincipalName
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn: cn=Turbo Fredriksson,ou=People,o=Turbo Fredriksson
krb5PrincipalName: turbo@BAYOUR.COM
----- s n i p -----
I've tried to read the 2.1 Admin manual, especially the section
on 'Using SASL', but it seems to only talk about the sasl-regexp
config option, not ACL's.
--
AK-47 fissionable PLO Peking Iran Clinton congress kibo domestic
disruption nitrate NSA jihad president Panama arrangements
[See http://www.aclu.org/echelonwatch/index.html for more about this]