[Date Prev][Date Next] [Chronological] [Thread] [Top]


> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah

> > I have to add "by anonymous search" in the third ACL to get
> it working
> > And after that I can comment the first ACL without effect
> Yup.  If you want, and can figure out exactly what it
> information it is
> wanting to look at, you can restrict this even more.  For us,
> any incoming
> connection needs access to the krb5PrincipalName attribute
> (since we are
> doing GSSAPI authentication for our applications), so I have the line:
> access to attr=krb5PrincipalName,member
>         by * search

As advance notice - the requirement for "Search" access in evaluating SASL
authentication was unintended. In 2.1.16 only "Auth" access will be needed
for SASL support.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support