Re: Access auth granularity?

[Dora Paula <deepee@gmx.net>]

On 09.05.2016 13:31, Hallvard Breien Furuseth wrote:
> On 09. mai 2016 09:00, Dora Paula wrote:
> > Dear List,
> >
> > I've two subtrees that contain user-accounts:
> > ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com.
> >
> > Goal: Users below ou=userA,... should only be allowed to bind using
> > sasl_bind, but not with simple_bind. Whereas users below ou=usersB,...
> > should
> > be allowed to bind using both (or any kind of bind).
>
> Simple Bind uses anonymous auth (=x) access to userPassword.
> Does your SASL setup use userPassword?  If not, or if userPassword
> for SASL look like {foo}something but other passwords do not,
> use can use something like
>
> olcAccess: to attrs=userPassword dn.children="ou=usersB,..."
>    by anonymous =x
>    by self =w
> # just reject passwords outside usersB.  If you need something else,
> # may add val.regex=^[{]SASL[}] or whatever, see man slapd.access(5)
> olcAccess: to attrs=userPassword by * none

Hallvard,

unfortunately, I think I had been glad already too early:

I use locally (in slapd) stored passwords (using the userPassword 
attribute, mainly to be able to ldapmodify them, and of course plain 
text to allow DIGEST-MD5 to work).

If I understand the admin guide correct, adding {SASL} always activates 
passthru authentication (e.g. saslauthd). If not, could you please go 
into more detail regarding your idea? Is it possible to 
pass-thru-back-to-slapd?

Thanks again.