[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Authentication, DNs and supported SASLMechanisms



At 04:39 PM 2001-08-30, Nels Lindquist wrote:
>o When authenticating using SASL, it seems that you're always given an authorization DN of the form "uid=username + realm=REALM",

Yes.

>which is all well and good for searching/viewing entries visible to all 
>authenticated users, but right now a SASL authorized user will never see an entry which the ACL system 
>calls "self."

Correct. 

>Is there any way to associate an entry of the above form with a DN of the SASL authorized 
>"uid=username + realm = REALM" form?

regex's...
        access to dn="(uid=.*),dc=example,dc=com"
                by dn="uid=$1 + realm=REALM" write

>o Once ACLs are actually applied to the server, then SASL aware applications no longer work without 
>specifying an authentication method on the command line (ie, if I use -Y [SASL mech] then it still 
>works).

Add an ACLs allowing the root dse to be read...
        access to dn=""
                by * read


>It appears that applications such as ldapsearch are attempting to query the server to see which 
>mechanisms are supported, but the query is denied.  (Output from slapd -d 386):
>
>----
>daemon: conn=1 fd=10 connection from IP=206.75.202.1:3754 (IP=0.0.0.0:34049) accepted.
>ldap_read: want=1, got=1
>  0000:  30                                                 0                 
>ldap_read: want=1, got=1
>  0000:  3e                                                 >                 
>ldap_read: want=62, got=62
>  0000:  02 01 01 63 39 04 00 0a  01 00 0a 01 00 02 01 00   ...c9...........  
>  0010:  02 01 00 01 01 00 87 0b  6f 62 6a 65 63 74 63 6c   ........objectcl  
>  0020:  61 73 73 30 19 04 17 73  75 70 70 6f 72 74 65 64   ass0...supported  
>  0030:  53 41 53 4c 4d 65 63 68  61 6e 69 73 6d 73         SASLMechanisms    
>ldap_read: want=1 error=Resource temporarily unavailable
>conn=1 op=0 SRCH base="" scope=0 filter="(objectClass=*)"
>=> access_allowed: read access to "" "entry" requested
>=> acl_get: [1] check attr entry
>=> acl_get: [2] check attr entry
><= acl_get: [2] acl  attr: entry
>=> acl_mask: access to entry "", attr "entry" requested
>=> acl_mask: to all values by "", (=n) 
><= check a_dn_pat: self
><= check a_dn_pat: anonymous
><= acl_mask: [2] applying auth (=x) (stop)
><= acl_mask: [2] mask: auth (=x)
>=> access_allowed: read access denied by auth (=x)
>acl: access to entry not allowed
>ber_flush: 14 bytes to sd 10
>  0000:  30 0c 02 01 01 65 07 0a  01 00 04 00 04 00         0....e........    
>ldap_write: want=14, written=14
>  0000:  30 0c 02 01 01 65 07 0a  01 00 04 00 04 00         0....e........    
>conn=1 op=0 RESULT tag=101 err=0 text=
>ldap_read: want=1, got=0
>
>conn=-1 fd=10 closed
>----
>My ACLs look like this:
>
>access to attr=userPassword
>        by self write
>        by anonymous auth
>        by dn="cn=Manager,dc=maei,dc=ca" write
>        by dn="cn=Manager,o=Morningstar Air Express Inc.,c=CA" write
>        by * none
>
>access to *
>        by self write
>        by anonymous auth
>        by dn="cn=Manager,dc=maei,dc=ca" write
>        by dn="cn=Manager,o=Morningstar Air Express Inc.,c=CA" write
>        by * read
>
>I tried adding an ACL of the form "access to supported SASLMechanisms by anonymous read", but it didn't 
>help.
>
>Any ideas?
>----
>Nels Lindquist <*>
>Information Systems Manager
>Morningstar Air Express Inc.