[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?

--- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> At 10:56 PM 6/30/2005, jay alvarez wrote:
> >And as you've said...
> >
> >> As far as your question regarding "users",
> >> slapd-access(5)
> >> says:
> >>    The keyword users means access is granted to
> >>    authenticated clients.
> >
> >so, when I'm using sasl/gssapi for authentication,
> it
> >goes without saying that I'm already authenticated,
> >right?
 
> No.  In fact, the client never even got far enough
> to attempt a SASL/GSSAPI authentication exchange.
> It failed trying to anonymously discover the SASL
> mechanisms the server supports.
 
> > What's with that "no more <who> clauses"??
> 
> It means that no <who> clause in your access
> statement
> matched the subject, anonymous.  That is, users !=
> anonymous.  Hence, the no access was allowed.
> 
> You have two choices, either don't use LDAP's SASL
> mechanism discovery mechanism, e.g., use
> ldapsearch(1)'s
> -Y to select what mechanism to use, or allow
> anonymous
> enough access to accomplish mechanism discovery,
> e.g.,
> read access to (all or select portions of) the root
> DSE.
Ok, that explains it all. I guess that's why most of
the access list examples available on the web starts
with an access rule for dn="". Anyway, I tried them
both and they both worked. I even investigated on
debug.log and found some interesting difference on
those three situations.

Thanks kurt! you're the best!!
> 
> Kurt 
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com