[Date Prev][Date Next]
RE: objectIdentifierMatch (ITS#2095)
--On Friday, September 20, 2002 6:56 PM -0700 Howard Chu <email@example.com>
There is no remaining bug in ITS#2067. Your ACL has denied access to the
rootDSE, including the supportedSASLMechanisms attribute, so the client is
unable to query for available SASL mechanisms, that's all.
Okay, that should now be fixed. The ACL now looks like:
access to dn=""
by * read
access to *
by dn="cn=replicator,cn=applications,dc=stanford,dc=edu" write
by group="cn=supervisor,cn=applications,dc=stanford,dc=edu" read
by group="cn=ldapadmin,cn=applications,dc=stanford,dc=edu" read
by anonymous auth
So now, it can get to the supported SASL mechanisms. I am a member of both
ldapadmin, and supervisor. Still, with this setup, I cannot bind as either
of them. The only way I can get this to work is to add
by users read
to the access to * bit
Which gives anyone with Kerberos 5 (slightly better than before), the
ability to read data from our directory servers, which quite simply, we
cannot allow due to federal privacy concerns.
Senior Systems Administrator
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html