[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RootDN Login

To: openldap-software@OpenLDAP.org
Subject: Re: RootDN Login
From: Turbo Fredriksson <turbo@bayour.com>
Date: 05 Aug 2003 11:32:03 +0200
In-reply-to: <3F2F74E2.2080400@turtlesystems.co.uk>
Organization: LDAP/Kerberos expert wannabe
References: <3F2F74E2.2080400@turtlesystems.co.uk>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Quoting Russell Seymour <russell.seymour@turtlesystems.co.uk>:

> Good Morning list,
> 
> I have successfully built an OpenLDAP Directory with Kerberos and SASL support
> and I can access the directory with a user in the Kerberos database, e.g:
> 
> 	ldaptest@REALM
> 
> However what I cannot do is access the directory with the RootDN that I have
> specified in the 'slapd.conf' file.  I get back the following error message:

Don't use the 'rootdn' directive. Use proper ACL's instead.

In a 2.0 server, it would look like:

        by dn="uid=ldaptest.+\+realm=REALM" write

and in a 2.1 server you need to first construct the 'sasl-regexp' and then
another ACL. This what I do in my 2.1.22 server:

sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
                        ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM)
[...]
        by dn="cn=turbo fredriksson,ou=people,o=fredriksson,c=se" write


The last line comes from running 'ldapwhoami':

[tuzjfi.tty2]$ ldapwhoami -h localhost
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn:cn=turbo fredriksson,ou=people,o=fredriksson,c=se

References:
- RootDN Login
  - From: Russell Seymour <russell.seymour@turtlesystems.co.uk>

Prev by Date: [openldap 2.1.12] about use of ldap_add_s(...)
Next by Date: help about ldap_bin_s()
Index(es):
- Chronological
- Thread