[Date Prev][Date Next]
Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
- To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subject: Re: Does "Users" in acl only goes for simple binds and not with sasl/gssapi?
- From: jay alvarez <firstname.lastname@example.org>
- Date: Fri, 1 Jul 2005 01:34:59 -0700 (PDT)
- Cc: openldap-software@OpenLDAP.org
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=pGNHKoqZc56aRAgkRdskYl0k8xx3JtS4PgIJdMAx1o0e7KQX9cWZAGdo4kAtSCFMqzm4B8qK/CAO4txbhpTBx4o2XmObt3X1WOWo9r/Y7j5aKjWiw5paUjwmlFGjID2FcnE5FN5MHC/LdTtJXP7/KUngTWz+VQjrNYhdhwntd64= ;
- In-reply-to: <email@example.com>
--- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> At 10:56 PM 6/30/2005, jay alvarez wrote:
> >And as you've said...
> >> As far as your question regarding "users",
> >> slapd-access(5)
> >> says:
> >> The keyword users means access is granted to
> >> authenticated clients.
> >so, when I'm using sasl/gssapi for authentication,
> >goes without saying that I'm already authenticated,
> No. In fact, the client never even got far enough
> to attempt a SASL/GSSAPI authentication exchange.
> It failed trying to anonymously discover the SASL
> mechanisms the server supports.
> > What's with that "no more <who> clauses"??
> It means that no <who> clause in your access
> matched the subject, anonymous. That is, users !=
> anonymous. Hence, the no access was allowed.
> You have two choices, either don't use LDAP's SASL
> mechanism discovery mechanism, e.g., use
> -Y to select what mechanism to use, or allow
> enough access to accomplish mechanism discovery,
> read access to (all or select portions of) the root
Ok, that explains it all. I guess that's why most of
the access list examples available on the web starts
with an access rule for dn="". Anyway, I tried them
both and they both worked. I even investigated on
debug.log and found some interesting difference on
those three situations.
Thanks kurt! you're the best!!
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around