RE: ACLs

[a.brinkman@avades.nl (Alexander Brinkman)]

Thanks everyone, I have it working now...

Perhaps there are more people struggling with this, so here are some
pointers on how I have it working:

My ACL's are now: (they are not perfect, but it works :))

access to dn="^uid=([^,]+),ou=People,dc=sprinter,dc=org"
        attrs=userPassword
        by dn="uid=$1" write
        by dn="cn=Manager,dc=sprinter,dc=org" write
        by self write
        by anonymous auth
        by * none

access to attr=userPassword
        by self write
        by dn="cn=Manager,dc=sprinter,dc=org" write
        by anonymous auth
        by * none

access to *
        by self write
        by dn="cn=Manager,dc=sprinter,dc=org" write
        by * read

Besides that I have the following options in slapd.conf:
sasl-host eon.za.net
sasl-realm "SPRINTER.ORG"
sasl-secprops none

I have setup Kerberos with a realm named SPRINTER.ORG.

When I start kinit I authenticate with a user named eon.
After this ldapsearch -Y gssapi will contact the openLDAP server which
assigns uid=eon to my authenticated user. According to the ACLs in
slapd.conf that user will get write access to his simple bind password
(userPassword). The fact that there is another ACL for the userPassword
attribute is that groups can also have passwords, and you don't want to have
default read access on those... :)

I problably have some errors in this story above, so if anyone finds them,
please correct :) However, it is working for me right now...

Grtz,
	Eon.