[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL Headaches



Thank you Karsten & Dieter for your comments.

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karsten
Gorling
Sent: Wednesday, September 21, 2005 4:16 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL Headaches


>* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050921 22:26]:
>> 	rootdn "cn=ldapadmin,dc=qm"
>> 	rootpw {KERBEROS} ldapadmin@QM
>
>You don't have tp setup a rootpw Statement with SASL. Providing a
>rootdn-Statement is sufficient. With SASL Authentification is handled by
>the sasl-Layer. The {KERBEROS}-PasswordSchema is obsolete.
>

Good to know. I was getting most of my info from Google, and apparently some of it was obsolete.

>> 
>> SASL is set up to use GSSAPI correctly, since the following password also works:
>> 
>> 	rootpw {SASL} ldapadmin
>
>That itself is not a hint, that SASL is working. It seems, you are
>mixing to things up: LDAPv3 provides an authentification via SASL, that
>is Authentification can be handled by a lot of means. The LDAP-Server
>sees only the result of the authentification (strong bind). Then there 
>is a way to provide a compatibility with simple binds: the LDAP-Server
>pipes the given password to an external programm, and requests, if the
>password and the useridenty in the userPassword-Attribute matches. 
>
>For strong binds to work, you must provide a "sasl-regexp" statement in
>your slapd.conf file. That provides a rule to match your SASL-DN's to
>LDAP-DN's. Because you are using GSSAPI, it would be something like
>
>sasl-regexp uid=(.*),cn=<REALM>,cn=gssapi,cn=auth uid=$1,<dn_of_usertree>
>

Great, Thank you!

>You can check with the "ldapwhoami"-Command, if the SASL-Matching works
>as expected.
>

after `kinit silasb` `ldapwhoami` now reports 

dn:uid=silasb,ou=people,dc=qm

This is the correct user dn.

>For your ACLs you should than use the dns of your user-entrys in the
>LDAP-Tree.
>

Every ACL listing now has
	by dn="uid=silasb,ou=people,dc=qm" write
	by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write

but I still get

ldap_add: Insufficient access (50)
	additional info: no write access to parent



>-- 
>Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
>E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
>Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
>PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------
>