[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
- To: openldap-software@OpenLDAP.org
- Subject: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
- From: jay alvarez <ldapb0y@yahoo.com>
- Date: Thu, 30 Jun 2005 20:49:32 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=qnYle9dNZrHxJY2ohDAx8u4S8M5qxpio0Bra/TR70qUpuapLXrgrMbe+a/VTDjor/nBtnJ1jVJ4LKEEJF+ituYr+9De69V6yOZMR1GDnVWgnX73QfIUuQrJU+/aSvv7+QP8QjaYFo877wLoPoX0Q4rsFb3PtZDs4UQbVuMKGpkY= ;
Good day,
I'm just trying to create a simple read access to
everyone to "ou=staff,dc=preginet" , and yet slapd
keeps on complaining that this is a bad DN.
Here are the access list I have tested:
access to dn.children="ou=staff,dc=preginet"
by * read
or
access to dn.subtree="ou=staff,dc=preginet"
by * read
or
access to dn.base="ou=staff,dc=preginet"
by * read
and every other directive formats. The only thing that
works for me is the default (access to * by *).
I'm running ldap clients through sasl/gssapi binds.
Everything works with an * by * ACL but not when I'm
trying to use other ACL directives.
If I were to have this:
access to * by users read
or
access to * by dn.regex="uid=.*,ou=staff,dc=preginet"
read
I get this:
ldap_sasl_interactive_bind_s: No such object (32)
Does authenticated users goes only for simple bind and
not with sasl/gssapi bind?
What's causing that bad DN error above?
I hate asking how questions, but I've been reading
a lot of stuffs regarding access list, some of which
are outdated, others discusses changes from versions
to versions of openldap and yet nothing seems to help.
I've been going back and fourth the slapd.access(5),
faq-o-matic, read some docs, some user questions,
some common errors and still, still nothing seems to
help. Please help me out on this one because, when all
"when all else fails" fails, I don't know where else
to go:(.
Thank you very much for your kindness.
I have attached here my very basic slapd.conf, hope it
helps.
Sincerely
Jayson
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com#<<< GLOBAL CONFIGURATION DIRECTIVES >>>
#___________________________________________________________________
sasl-host gaheris.camlann.pregi.net
sasl-realm CAMLANN.PREGI.NET
sasl-regexp
uid=(.*),cn=camlann.pregi.net,cn=gssapi,cn=auth
uid=$1,ou=staff,dc=preginet
#<<< Begin Access Control >>>
access to * by dn="uid=matato,ou=staff,dc=preginet" read
include /usr/local/openldap/etc/openldap/schema/core.schema
include /usr/local/openldap/etc/openldap/schema/cosine.schema
include /usr/local/openldap/etc/openldap/schema/inetorgperson.schema
include /usr/local/openldap/etc/openldap/schema/nis.schema
include /usr/local/openldap/etc/openldap/schema/openldap.schema
include /usr/local/openldap/etc/openldap/schema/misc.schema
#include /usr/local/openldap/etc/openldap/slapd.access
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
defaultsearchbase "dc=preginet"
gentlehup on
loglevel -1
idletimeout 120
srvtab /etc/krb5.keytab
#___________________________________________________________________
#<<< GENERAL BACKEND DIRECTIVES >>>
#___________________________________________________________________
backend bdb
#___________________________________________________________________
database bdb
suffix "dc=preginet"
rootdn "uid=matato,ou=staff,dc=preginet"
rootpw ldapboy
directory /usr/local/openldap/var/openldap-data
index objectClass eq
index default pres,eq
index cn,sn,mail pres,eq,approx,sub
lastmod on