[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ENC: RES: sasl proxy authorization and regexp
> Hello!
>
> I am using the 2.2.5 version. The log is bellow.
>
> I modified my user Joao to the following:
>
> dn: uid=joao,cn=Alunos,cn=CampusII,dc=ucb,dc=br
> changetype: modify
> replace: saslAuthzTo
> saslAuthzTo: dn.regex:uid=.*,cn=Alunos,ou=CampusI,dc=ucb,dc=br
>
> I am trying to execute the command:
>
> ldapadd -f ./ucb3.ldif -U joao@ares.cesmic.ucb.br -X
> "dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" -Y DIGEST-MD5
>
> And the error is:
>
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
> additional info: SASL(-14): authorization failure: not
> authorized
>
> I have the ACL "access to * by
> dn.base="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write" in my
> slapd.conf.
This seems to be a poor ACL, because anonymous can't bind.
You should use
access to attrs=userPassword
by * auth
(you may add write permission to someone, if needed,
e.g. by self or so) and then
access to *
by dn.exact="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write
Try this and let me know. A detailed log of the server,
especially of the saslauthz phase, would help as well.
But I don't think you'll get there, without anonymous
auth permission.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it