[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems with ACLs..

I've got an ACL like this:

# Sasl stuff
sasl-realm NET.IC.AC.UK

# Access control
defaultaccess read

access to dn="^uid=([^,]+),ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk"
  by self write
  by dn="uid=$1 \+ realm=NET\.IC\.AC\.UK" write
  by * auth

This ACL doesn't seem to work. Without the ACL, everything works as
expected, including SASL (both GSSAPI and CRAM-MD5). I get:

ldapsearch -b 'dc=net,dc=ic,dc=ac,dc=uk' 'objectclass=*' -x -D
'uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk' -W
<supply password>

# net,dc=ic,dc=ac,dc=uk
dn: dc=net,dc=ic,dc=ac,dc=uk
objectClass: top
objectClass: domain
dc: net

# Directory,dc=net,dc=ic,dc=ac,dc=uk
dn: ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: Directory

# People,Directory,dc=net,dc=ic,dc=ac,dc=uk
dn: ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
objectClass: top
objectClass: organizationalUnit
ou: People


With the ACL, basic authentication works - *BUT*, I don't get the objects
above me in the hierarchy, I just get:

dn: uid=pjm3,ou=People,ou=Directory,dc=net,dc=ic,dc=ac,dc=uk
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: pjm3
cn: pjm3
uidNumber: 26406
gidNumber: 6572
homeDirectory: /tmp
loginShell: /bin/sh
gecos: Mayers, Mr Philip
description: Mayers, Mr Philip
userPassword:: <blah>

With SASL and the ACL (GSSAPI or CRAM-MD5, both of which work fine without
the ACL), I get no output, and "ldap_sasl_interactive_bind_s: DSA is
unavailable". If I supply a "-Y mech" argument, I simply get no results, but
no errors either. (I know why this last step happens. The ACL seems to be
matching the RootDSE, and the client can't read the supportedSASLMechanisms

Am I doing something stupid with the ACLs?

This is OpenLDAP 2.0.3, on stock RedHat 6.2, with SASL 1.5.21.


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |