[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?

At 10:56 PM 6/30/2005, jay alvarez wrote:
>And as you've said...
>> As far as your question regarding "users",
>> slapd-access(5)
>> says:
>>    The keyword users means access is granted to
>>    authenticated clients.
>so, when I'm using sasl/gssapi for authentication, it
>goes without saying that I'm already authenticated,

No.  In fact, the client never even got far enough
to attempt a SASL/GSSAPI authentication exchange.
It failed trying to anonymously discover the SASL
mechanisms the server supports.

> What's with that "no more <who> clauses"??

It means that no <who> clause in your access statement
matched the subject, anonymous.  That is, users !=
anonymous.  Hence, the no access was allowed.

You have two choices, either don't use LDAP's SASL
mechanism discovery mechanism, e.g., use ldapsearch(1)'s
-Y to select what mechanism to use, or allow anonymous
enough access to accomplish mechanism discovery, e.g.,
read access to (all or select portions of) the root DSE.