Re: ACL's for SASL compat.

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 04:35 PM 10/6/00 -0400, Marc Heckmann wrote:
>I get a "Can't contact ldap server" error"

That's a bug which I'm working on fixing... disable layers
to workaround (e.g.: -O maxbufsize=0).

>here is the trace:
>
>Oct  6 16:31:49 schoenberg slapd[9297]: do_bind 
>Oct  6 16:31:49 schoenberg slapd[9297]: do_sasl_bind: dn () mech DIGEST-MD5 
>Oct  6 16:31:50 schoenberg slapd[9297]: SASL Authorize [conn=1]: "testuser" as "u:testuser" 
>Oct  6 16:31:50 schoenberg slapd[9297]: slap_sasl_bind: username="u:testuser" realm="schoenberg" ssf=128 
>Oct  6 16:31:50 schoenberg slapd[9297]: <== slap_sasl_bind: authzdn: "uid=testuser + realm=schoenberg" 

Your authzdn (subject DN) is "uid=testuser + realm=schoenberg",
so your ACLs should be designed to match the normalized subject DN
of "uid=testuser+realm=schoenberg" (note that the + is a regex special
character), for example:

        access to * by dn="uid=.+\+realm=schoenberg" read

        Kurt