[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's for SASL compat.

At 12:37 PM 10/4/00 -0400, Marc Heckmann wrote:
>On Wed, Oct 04, 2000 at 08:55:22AM -0700, Kurt D. Zeilenga wrote:
>> >> >        Any suggestions? Thanks in advance.
>> >> 
>> >> 
>> >> Trim the extra white space from the DN regex...  i.e.:
>> >> 
>> >>         by dn="uid=$1\+realm=foo" write
>> >
>> >Tried it and it does not work, same error (insufficient access)....
>> >Any other ideas or debugging switches? Is there another way to get the
>> >same effect using sasl binding?
>> That is for SASL binding.
>yes I used SASL binding, sorry if I was not clear,  it does not work. I meant are there any
>alternate way's to specify the ACL that would have the same effect. It does work with simple

The authorization DN produced by the SASL code depends upon
configuration, mechanisms used, etc..   Look at your logs
(with TRACE enabled) and you'll see messages reporting the
authorization DN:
  <== slap_sasl_bind: authzdn: "uid=kurt@OPENLDAP.ORG"
  <== slap_sasl_bind: authzdn: "uid=kurt + realm=OPENLDAP.ORG"

Then write regex's to match the normalized (s/ \+ /+/) DN.
  access to dn="(uid=[:alnum:]),dc=OpenLDAP,dc=Org"
    by dn="$1(\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" write
    by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
  access to *
    by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read

(the above may contain typos or other minor errors as I only
ran this through my built in, buggy regex parser).