On Saturday 08 September 2007 20:18:01 Turbo Fredriksson wrote:
Quoting Pierangelo Masarati ando@sys-net.it:
that slapo-ppolicy(5) enforces a single value for the password attribute, even though such constraint is not present in the specification of userPassword.
That was not the issue, the issue was that I was authenticated with my SASL (Krb5 key) _even though I did not have {SASL} in userPassword_.
No, you were *authorized* by your sasl-regexp. You were *authenticated* by your Kerberos server.
With GSSAPI, the LDAP server doesn't do authentication.
As such, the LDAP server wasn't even consulted about whether it knows anything about your account, only that it should map your SASL identity to a DN (that need not exist in the directory).
Regards, Buchan