[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Headaches



* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050921 22:26]:
> 	rootdn "cn=ldapadmin,dc=qm"
> 	rootpw {KERBEROS} ldapadmin@QM

You don't have tp setup a rootpw Statement with SASL. Providing a
rootdn-Statement is sufficient. With SASL Authentification is handled by
the sasl-Layer. The {KERBEROS}-PasswordSchema is obsolete.

> 
> SASL is set up to use GSSAPI correctly, since the following password also works:
> 
> 	rootpw {SASL} ldapadmin

That itself is not a hint, that SASL is working. It seems, you are
mixing to things up: LDAPv3 provides an authentification via SASL, that
is Authentification can be handled by a lot of means. The LDAP-Server
sees only the result of the authentification (strong bind). Then there 
is a way to provide a compatibility with simple binds: the LDAP-Server
pipes the given password to an external programm, and requests, if the
password and the useridenty in the userPassword-Attribute matches. 

For strong binds to work, you must provide a "sasl-regexp" statement in
your slapd.conf file. That provides a rule to match your SASL-DN's to
LDAP-DN's. Because you are using GSSAPI, it would be something like

sasl-regexp uid=(.*),cn=<REALM>,cn=gssapi,cn=auth uid=$1,<dn_of_usertree>

You can check with the "ldapwhoami"-Command, if the SASL-Matching works
as expected.

For your ACLs you should than use the dns of your user-entrys in the
LDAP-Tree.

-- 
Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
----------------- > encrypted E-Mail preferred <------------------------