[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL 'domain='

To: openldap-software@OpenLDAP.org
Subject: Re: Problem with ACL 'domain='
From: Turbo Fredriksson <turbo@bayour.com>
Date: 22 Jul 2003 14:48:10 +0200
Organization: LDAP/Kerberos expert wannabe
References: <871xwivpp2.fsf@papadoc.bayour.com>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

>>>>> "Turbo" == Turbo Fredriksson <turbo@bayour.com> writes:

    Turbo> I'm setting up a 2.1.21 server at home, so I can test the
    Turbo> new server types...

Is there any document or HOWTO somewhere that describes the DIFFERENCES
between 2.0 and 2.1 (especially on ACL's)?

It seems like I got MORE problems than this...


To be able to use 'sasl-regexp', I need anonymous read to the krb5PrincipalName,
but I can't seem to get that working...
----- s n i p -----
sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
                        "ldap://localhost/o=Turbo Fredriksson??sub?krb5PrincipalName=$1@BAYOUR.COM"
[...]
# We need to do SASL auth, so the Root DSE must be readable to anyone
access to dn="" attr=supportedSASLMechanisms,objectClass,entry
        by domain=.*\.bayour\.com read
        by domain=localhost read
#
access to attr=uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,krb5PrincipalName,entry
        by domain=.*\.bayour\.com read
        by domain=localhost read
        by aci write
----- s n i p -----

As I'm used to from 2.0 this would work. But not in 2.1. No
anonymous read to krb5PrincipalName. If I use the following
ACL, it works if I do a SASL bind (but not anonymous):
----- s n i p -----
access to dn="" attr=supportedSASLMechanisms,objectClass,uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,krb5PrincipalName,entry
        by domain=.*\.bayour\.com read
        by domain=localhost read
        by aci write
----- s n i p -----

This is what I get with this ACL entry:
----- s n i p -----
[tuzjfi.tty2]$ ldapsearch -x -LLL -h localhost -b 'o=turbo fredriksson' krb5PrincipalName=turbo@BAYOUR.COM krb5PrincipalName
[tuzjfi.tty2]$ ldapsearch -LLL -h localhost -b 'o=turbo fredriksson' krb5PrincipalName=turbo@BAYOUR.COM krb5PrincipalName
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn: cn=Turbo Fredriksson,ou=People,o=Turbo Fredriksson
krb5PrincipalName: turbo@BAYOUR.COM
----- s n i p -----


I've tried to read the 2.1 Admin manual, especially the section
on 'Using SASL', but it seems to only talk about the sasl-regexp
config option, not ACL's.
-- 
AK-47 fissionable PLO Peking Iran Clinton congress kibo domestic
disruption nitrate NSA jihad president Panama arrangements
[See http://www.aclu.org/echelonwatch/index.html for more about this]

References:
- Problem with ACL 'domain='
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: OpenLDAP server, Solaris 9 client
Next by Date: Re: TLS or plain?
Index(es):
- Chronological
- Thread