[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL auth w/userPassword req's anon "search" ACL

To: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: SASL auth w/userPassword req's anon "search" ACL
From: David Pisoni <dpisoni@lrn.com>
Date: Tue, 29 Oct 2002 10:29:16 -0800

Hello,

I was not able to find this documented anywhere, but it appears that SASL
authentication mechanisms which use the userPassword (e.g., DIGEST-MD5)
require that the "anonymous" role be granted "search" access to the user
entry -- "auth" is not sufficient.  If the access is only "auth", SASL
returns the message "user not found: no secret in database." If I raise the
access to "=sx", then the SASL lookup (and provided the correct credentials,
the authentication) will succeed. Incidentally, I have an ACL rule on
'userPassword' granting anonymous only "auth" access -- this does not
disrupt the process.

Is this the correct (though undocumented) behavior?  Or should the
authentication with SASL in fact work with only "auth" access to the record?
Either way, this issue is a candidate for the admin guide.

I am running OpenLDAP 2.1.8 on RedHat Linux 7.3, kernel 2.4.18, and
Cyrus-SASL 2.1.6.

Thanks,

David Pisoni
Sr. Software Engineer,
LRN, The Legal Knowledge Company
dpisoni@lrn.com
310-209-5364

Prev by Date: Follow up to Corrupt Index files
Next by Date: Allow only a specific group to login
Index(es):
- Chronological
- Thread