[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL 'domain='

To: openldap-software@OpenLDAP.org
Subject: Re: Problem with ACL 'domain='
From: Turbo Fredriksson <turbo@bayour.com>
Date: 25 Jul 2003 10:36:46 +0200
In-reply-to: <871xwivpp2.fsf@papadoc.bayour.com>
Organization: LDAP/Kerberos expert wannabe
References: <871xwivpp2.fsf@papadoc.bayour.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

[I'm just posting this for the archives, sorry for the overhead]

Quoting Turbo Fredriksson <turbo@bayour.com>:

> I'm setting up a 2.1.21 server at home, so I can test
> the new server types...
> 
> The idea is/was to use ACI's in the database, so I don't
> have to maintain a complicated ACL. The ACL I'm trying to
> use is:
> ----- s n i p -----
> # We need to do SASL auth, so the Root DSE must be readable to anyone
> access to dn="" attr=supportedSASLMechanisms,objectClass,entry
>         by domain=.*\.bayour\.com read
>         by domain=localhost read
> ----- s n i p -----

To make this work in a 2.1 server, the config option 'reverse-lookup on'
needs to be used. This is in the manual for slapd.conf, but I'm one of
those that don't read manuals :).

Oh, and slapd must be configured at compile time with '--enable-rlookups'
(which I did, I thought it would be turned on automaticly, which it didn't).

> Starting slapd as 'slapd -h ldap://127.0.0.1:389/' (or ldap://0.0.0.0:389/),
> the supportedSASLMechanisms is shown, but NOT if I'm leaving the '-h'
> option out... Why?

This must have been a fluke. It didn't work the day after, and it
took me a couple of days to find the manual :).

References:
- Problem with ACL 'domain='
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: ldap_search on integer
Next by Date: RE: SuSE RPMs?
Index(es):
- Chronological
- Thread