[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
At 10:56 PM 6/30/2005, jay alvarez wrote:
>And as you've said...
>
>> As far as your question regarding "users",
>> slapd-access(5)
>> says:
>> The keyword users means access is granted to
>> authenticated clients.
>
>so, when I'm using sasl/gssapi for authentication, it
>goes without saying that I'm already authenticated,
>right?
No. In fact, the client never even got far enough
to attempt a SASL/GSSAPI authentication exchange.
It failed trying to anonymously discover the SASL
mechanisms the server supports.
> What's with that "no more <who> clauses"??
It means that no <who> clause in your access statement
matched the subject, anonymous. That is, users !=
anonymous. Hence, the no access was allowed.
You have two choices, either don't use LDAP's SASL
mechanism discovery mechanism, e.g., use ldapsearch(1)'s
-Y to select what mechanism to use, or allow anonymous
enough access to accomplish mechanism discovery, e.g.,
read access to (all or select portions of) the root DSE.
Kurt