[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs

Your working ACL unfortunately lets anyone change anyone else's password. It's
seems to me that SASL was implemented earlier than perhaps it's usefulness
because it's a de facto standard. There supposedly is a saslRegExp directive
one puts in slapd.conf that remaps the SASL identities to actual user dn's. It
isn't in 2.0.7, but it may be in the devel version. It's mentioned in the

Alexander Brinkman wrote:

> Here I go again :)
> Everything with SASL and openLDAP is working now, except for the ACLs (I
> think). I understand that there is no direct relationship between SASL users
> (in Kerberos or SASLdb) and LDAP users (uid=xxx,ou=People,dc=domain,dc=org
> for instance). But in that case: whats the point of authentication with
> I was pointed out that it could depend on my ACLs what users would get when
> they're connecting with SASL, but I can't find good references to this.
> When I do:
> access to attr=userPassword
>         by dn=".+" write
> it works (openldap knows that SASL users are authenticated), but when I do:
> access to attr=userPassword
>         by self write
> then it doesn't work. Is there a way to get this working?
> Tia,
>         Alexander.
> --
> AVADES INTERNET BV  http://www.avades.nl
> Alexander Brinkman  a.brinkman@avades.nl