[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: objectIdentifierMatch (ITS#2095)

--On Friday, September 20, 2002 6:56 PM -0700 Howard Chu <hyc@symas.com> wrote:

There is no remaining bug in ITS#2067. Your ACL has denied access to the
rootDSE, including the supportedSASLMechanisms attribute, so the client is
unable to query for available SASL mechanisms, that's all.


Okay, that should now be fixed.  The ACL now looks like:

access to dn=""
	by * read

access to *
	by dn="cn=replicator,cn=applications,dc=stanford,dc=edu" write
	by group="cn=supervisor,cn=applications,dc=stanford,dc=edu" read
	by group="cn=ldapadmin,cn=applications,dc=stanford,dc=edu" read
	by anonymous auth

So now, it can get to the supported SASL mechanisms. I am a member of both ldapadmin, and supervisor. Still, with this setup, I cannot bind as either of them. The only way I can get this to work is to add
by users read
to the access to * bit
Which gives anyone with Kerberos 5 (slightly better than before), the ability to read data from our directory servers, which quite simply, we cannot allow due to federal privacy concerns.

Any suggestions?


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html