[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL Authentication, DNs and supported SASLMechanisms



On 30 Aug 2001 at 18:18, Kurt D. Zeilenga wrote:

> >Is there any way to associate an entry of the above form with a DN of
> >the SASL authorized "uid=username + realm = REALM" form? 
> 
> regex's...
>         access to dn="(uid=.*),dc=example,dc=com"
>                 by dn="uid=$1 + realm=REALM" write

Just for clarification--the inference here is that for the ACL system to associate a SASL authenticated 
user with a particular entry, the DN must have at least the UID in common with the SASL authname so that 
a regex ACL can be created.  Currently my user DNs are of the form cn=[full name],ou=People,o=[Company 
name],c=CA.  There *is* a uid field in each entry, but the uids aren't currently part of the DN.  It 
looks like I'm going to have to change all my user DNs so that they incorporate the uid.  Is this 
assumption correct?
 
> >o Once ACLs are actually applied to the server, then SASL aware
> >applications no longer work without specifying an authentication
> >method on the command line (ie, if I use -Y [SASL mech] then it still
> >works). 
> 
> Add an ACLs allowing the root dse to be read...
>         access to dn=""
>                 by * read

I experienced the same difficulty with this as Stéphane did.  Attempting to start slapd with the above 
ACL results in the following error:

> /usr/local/etc/openldap/slapd.conf: line 50: missing "=" in (or value
> after) "dn" in to clause 
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.