[Date Prev][Date Next] [Chronological] [Thread] [Top]

Bug in slapd's acl's with SASL (ITS#2067)

To: openldap-its@OpenLDAP.org
Subject: Bug in slapd's acl's with SASL (ITS#2067)
From: quanah@stanford.edu
Date: Wed, 4 Sep 2002 21:20:33 GMT

Full_Name: Quanah Gibson-Mount
Version: 2.1.4
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.13.58)


Hello,

Currently if we define our ACL's as such:

# ACL include file for slapd
#
# this is specific to ldap4.stanford.edu for testing

access to *
        by dn="cn=manager,dc=stanford,dc=edu" write
        by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
        by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
        by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
        by * read


Where membership is defined in the groups using SASL with GSSAPI and regexp's,
everything works fine.

However, as soon as we remove 'by * read', we can no longer bind into our groups
for access.

Prev by Date: Re: slapd returns different attribute name than asked for (ITS#2064)
Next by Date: ACL order changes * by * read access (ITS#2068)
Index(es):
- Chronological
- Thread