[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Headaches
* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050921 22:26]:
> rootdn "cn=ldapadmin,dc=qm"
> rootpw {KERBEROS} ldapadmin@QM
You don't have tp setup a rootpw Statement with SASL. Providing a
rootdn-Statement is sufficient. With SASL Authentification is handled by
the sasl-Layer. The {KERBEROS}-PasswordSchema is obsolete.
>
> SASL is set up to use GSSAPI correctly, since the following password also works:
>
> rootpw {SASL} ldapadmin
That itself is not a hint, that SASL is working. It seems, you are
mixing to things up: LDAPv3 provides an authentification via SASL, that
is Authentification can be handled by a lot of means. The LDAP-Server
sees only the result of the authentification (strong bind). Then there
is a way to provide a compatibility with simple binds: the LDAP-Server
pipes the given password to an external programm, and requests, if the
password and the useridenty in the userPassword-Attribute matches.
For strong binds to work, you must provide a "sasl-regexp" statement in
your slapd.conf file. That provides a rule to match your SASL-DN's to
LDAP-DN's. Because you are using GSSAPI, it would be something like
sasl-regexp uid=(.*),cn=<REALM>,cn=gssapi,cn=auth uid=$1,<dn_of_usertree>
You can check with the "ldapwhoami"-Command, if the SASL-Matching works
as expected.
For your ACLs you should than use the dns of your user-entrys in the
LDAP-Tree.
--
Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309
E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
PGP-Fingerprint: 4BEF 23EA 02AE BACA 9918 31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------
- References:
- ACL Headaches
- From: "Bennett, Silas \(GE Infrastructure\)" <Silas.Bennett@ge.com>