[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ENC: RES: sasl proxy authorization and regexp

> Hello!
> I am using the 2.2.5 version. The log is bellow.
> I modified my user Joao to the following:
> dn: uid=joao,cn=Alunos,cn=CampusII,dc=ucb,dc=br
> changetype: modify
> replace: saslAuthzTo
> saslAuthzTo: dn.regex:uid=.*,cn=Alunos,ou=CampusI,dc=ucb,dc=br
> I am trying to execute the command:
> ldapadd -f ./ucb3.ldif -U joao@ares.cesmic.ucb.br -X
> "dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" -Y DIGEST-MD5
> And the error is:
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: not
> authorized
> I have the ACL "access to * by
> dn.base="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write" in my
> slapd.conf.

This seems to be a poor ACL, because anonymous can't bind.
You should use

access to attrs=userPassword
  by * auth

(you may add write permission to someone, if needed,
e.g. by self or so) and then

access to *
  by dn.exact="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write

Try this and let me know.  A detailed log of the server,
especially of the saslauthz phase, would help as well.
But I don't think you'll get there, without anonymous
auth permission.


Pierangelo Masarati