ACL's for SASL compat.

[Marc Heckmann <heckmann@hbesoftware.com>]

Hi,

	I have managed to get SASL authentication working with 2.0.4 + the patch that was posted on this list. Everything is working well and I can do SASL
authentication with my rootdn (uid=rootuser + real=foo) I can also do it with LDAP users of the type "userPassword: {SASL}testuser", i can also simple do authentication using the same
"userPassword" attribute. However when trying to modify some of the testuser's attributes using SASL binding and the ACL below, I get the following error:


[root@schoenberg openldap]# /usr/local/bin/ldapmodify  -Y DIGEST-MD5 -D "uid=testuser + realm=foo"  -W -f /tmp/modify.ldif -U testuser 
Enter LDAP Password: 
SASL/DIGEST-MD5 authentication started
SASL username: testuser
SASL realm: schoenberg
SASL SSF: 112
SASL installing layers
modifying entry "uid=testuser,portalId=ABC,ou=People,o=MyOrg"
ldap_modify: Insufficient access

ldif_record() = 50


here is the ACL that I'm trying to use with SASL binding:

access to dn="uid=([^,]+),portalId=ABC,ou=People,o=MyOrg"
  by self write
  by dn="uid=$1 \+ realm=foo" write
  by anonymous auth
  by * read

the follwing is the ACL that I use for simple binding. The ldapmopdify command works using simple binding with the same ldif file:

access to *
        by self write
        by anonymous auth
        by dn="uid=rootuser + realm=foo" write
        by * read


here is the ldif entry that I am trying to execute: 

dn: uid=testuser,portalId=ABC,ou=People,o=MyOrg
changetype: modify
replace: telephonenumber
telephonenumber: 123-4567

	Any suggestions? Thanks in advance.

	Cheers,

PS: thank you for SASL in LDAP 2.0, it rocks.

-- 
	Marc Heckmann  -  Network Operations  
        HBE Software/Opendesk.Com
        heckmann@hbesoftware.com www.hbesoftware.com
        heckmann@opendesk.com www.opendesk.com
        Tel. (514) 876-7881 ext. 219
        Fax. (514) 876-9223