[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL Headaches

Thank you Karsten & Dieter for your comments.

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Karsten
Sent: Wednesday, September 21, 2005 4:16 PM
To: openldap-software@OpenLDAP.org
Subject: Re: ACL Headaches

>* Bennett, Silas (GE Infrastructure) <Silas.Bennett@ge.com> [050921 22:26]:
>> 	rootdn "cn=ldapadmin,dc=qm"
>> 	rootpw {KERBEROS} ldapadmin@QM
>You don't have tp setup a rootpw Statement with SASL. Providing a
>rootdn-Statement is sufficient. With SASL Authentification is handled by
>the sasl-Layer. The {KERBEROS}-PasswordSchema is obsolete.

Good to know. I was getting most of my info from Google, and apparently some of it was obsolete.

>> SASL is set up to use GSSAPI correctly, since the following password also works:
>> 	rootpw {SASL} ldapadmin
>That itself is not a hint, that SASL is working. It seems, you are
>mixing to things up: LDAPv3 provides an authentification via SASL, that
>is Authentification can be handled by a lot of means. The LDAP-Server
>sees only the result of the authentification (strong bind). Then there 
>is a way to provide a compatibility with simple binds: the LDAP-Server
>pipes the given password to an external programm, and requests, if the
>password and the useridenty in the userPassword-Attribute matches. 
>For strong binds to work, you must provide a "sasl-regexp" statement in
>your slapd.conf file. That provides a rule to match your SASL-DN's to
>LDAP-DN's. Because you are using GSSAPI, it would be something like
>sasl-regexp uid=(.*),cn=<REALM>,cn=gssapi,cn=auth uid=$1,<dn_of_usertree>

Great, Thank you!

>You can check with the "ldapwhoami"-Command, if the SASL-Matching works
>as expected.

after `kinit silasb` `ldapwhoami` now reports 


This is the correct user dn.

>For your ACLs you should than use the dns of your user-entrys in the

Every ACL listing now has
	by dn="uid=silasb,ou=people,dc=qm" write
	by dn="uid=silasb,cn=QM,cn=gssapi,cn=auth" write

but I still get

ldap_add: Insufficient access (50)
	additional info: no write access to parent

>Max-Born-Institut (MBI)/Max-Born-StraÃe 2A/12489 Berlin/Karsten Gorling
>Telefon: ++49 30 6392 1341 / Telefax: ++49 30 6392 1309 
>E-Mail: kgorling@physik.tu-berlin.de or gorling@mbi-berlin.de
>Instantmessenger: Jabber: grafzahl@jabber.fsinf.de or ICQ: 95492828
>PGP-Fingerprint:  4BEF 23EA 02AE BACA 9918  31FF 285B 0426 0E1A B2FC
>----------------- > encrypted E-Mail preferred <------------------------