Re: SASL docs?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 01:06 PM 9/14/00 +0200, Hugo.van.der.Kooij@caiw.nl wrote:
>dn: cn=Hugo van der Kooij,ou=hugo,dc=vanderkooij,dc=org
>objectclass: top
>objectclass: person
>objectclass: inetOrgPerson
>objectclass: organizationalPerson
>uid: hvdkooij
>cn: Hugo van der Kooij
>sn: van der Kooij
>userpassword: {SASL}

userpassword: {SASL}kvdkooij

Then it will ask Cyrus SASL to validate the asserted password
for this user.

>> Note the above ACL is kind of useless.  Here is a more useful
>> (untested) example:
>> 
>>         access to dn="^uid=([^,]+),dc=example,dc=com"
>>                 by dn="uid=$1 \+ realm=EXAMPLE\.COM" write
>>                 by dn="uid=[^,]+.*" read
>
>Hmmm. What benefit would [^,]+ bring over [^,] in this case? + in this
>case means one or more where the [^,] forbids the presence of a , in the
>part before the domain.

I likely meant: "by dn="uid=[^,]+" read"  (grant read to other
DNs of the uid=user + realm=REALM form).

>And should I use uid in some other fashion then I describe above? (I justs
>added the uid: line without testing.)

Note that the ACL I provides assumes you are using SASL bind.
If you want to use simple bind with SASL verification, you likely
need additional by clauses to the above ACL as clients authorized
using simple bind have the bind dn as their authorization dn.

Here is an overly simplistic example

access to dn="^uid=([^,]+),dc=example,dc=com"
  by self write
  by dn="uid=$1 \+ realm=EXAMPLE\.COM" write'
  by users read
  by anonymous auth