Re: Another ACL question ...

[Anthony Brock <abrock@georgefox.edu>]

By the absolute silence in response to any of these queries, I gather that 
in the integration of Kerberos and LDAP there is no way to:

1) directly reference the SASL user id in ACLs, and that it is not planned 
for implementation.
2) automate the association of "uid=abrock" and "DN: uid=abrock,dc=...." 
(allowing use of the "self" attribute in ACLs).

Assuming these as fact, I currently have only one other question. When 
using Kerberos our test LDAP server returns an authzdn of:

do_sasl_bind: dn () mech GSSAPI
SASL Authorize [conn=0]: "tempid" as "u:tempid"
slap_sasl_bind: username="u:tempid" realm="" ssf=56
<== slap_sasl_bind: authzdn: "uid=tempid"
send_ldap_sasl: err=0 len=-1

How do you configure LDAP to return the REALM as well as the uid, instead 
of just realm=""?

Thanks for any ideas/clarification. So far, the product seems to have come 
a LONG way in the past 2 years! Well done!

Tony

At 08:21 AM 02/06/2002 -0800, you wrote:
> After experimenting with the ACLs a little more, I have another question.
> Previously, we had entries such as:
>
> access to attrs=userPassword
>          by self read
>          by
> group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write
>          by * auth
>
> Now, we need to change these to enable the SASL identity be used. From the
> mailing list archives, I have composed:
>
> access to dn="^([^,])+,dc=georgefox,dc=edu" attrs=userPassword
>          by dn="$1" read
>          by
> group/groupofuniquenames/uniquemember="cn=Admins,dc=georgefox,dc=edu" write
>          by * auth
>
> Currently, we store the DN of ldap entries in the "uniquemember"
> attribute.
> Do I need to change this? How can I adjust the previous ACLs to map the
> SASL DN (which in my case does not contain a ???realm??? ) to the DN
> stored
> in the LDAP directory? Once there, how do I pull that person from the
> "uniquemember" attribute?
>
> Again, thank you for the great help so far!
>
> Tony
>
> At 06:08 PM 02/05/2002 -0800, you wrote:
> >>If I am using SASL with Kerberos, and I need to map the SASL identity
> >>(Kerberos identity in this case) to a specific attribute in the object,
> >>how
> >>can I directly reference the supplied SASL identity inside a filter or
> >>regexp? I am thinking it must be something like:
> >>
> >>access to dn="(.*,)?dc=georgefox,dc=edu"
> >>          by filter="(&(uid=$ID)(idnum=$1))" write
> >>          by * read
> >>
> >>assuming that $ID would be replaced with the supplied identity. Thanks in
> >>advance!
> >>
> >>Tony
> >>
> >>************************************************************************ 
> ******
> >>* Anthony Brock
> >>abrock@georgefox.edu *
> >>* Director of Network Services                         George Fox
> >>University *
> >>************************************************************************ 
> ******
>
> ******************************************************************************
> * Anthony Brock
> abrock@georgefox.edu *
> * Director of Network Services                         George Fox
> University *
> ******************************************************************************

******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************