I have 2.0.7 running with Cyrus SASL w/GSSAPI on Solaris 7 and it works great as long as the user kinit's with Kerberos first. It looks like this:
# ldapmodify -I -f ./modify.ldif
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: sysgod
SASL username: sysgod
SASL SSF: 56
SASL installing layers
modifying entry "uid=sysgod,ou=People,dc=asu,dc=edu"
But now I don't know what client the users might have - they may not have the nice client that OpenLdap provides, so we need to also authenticate via simple and hop for the same result... but it seems to ignore the "userPassword: {SASL}usename" entry:
# ldapsearch -W -x -D "uid=sysgod,ou=People,dc=asu,dc=edu" -f ./modify.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials
As I understand it this should look at the userPassword entry for uid=sysgod and authenticate as such. That user is valid in our KDC, so I'm not sure what's happening here. My ACL's look like this:
# Access for SASL authenticated users
access to dn="uid=([^,]+),ou=People,dc=asu,dc=edu"
by dn="uid=$1\@ASU\.EDU" write
by dn="uid=$1" write
by * read
# Access for simple authenticated users
access to *
by self write
by dn="cn=Manager,dc=asu,dc=edu" write
by * read
Do I need to have one big butt-ugly access statment to handle both situations? Or, am I missing something else?