--On Tuesday, September 30, 2014 2:30 PM -0400 Steven Presser steve@pressers.name wrote:
No; That bind DN is used only in simple authentication. I am maintaining them as separate accounts, for the time being. One of my ACLs is:
access to * by dn.exact="cn=repl,dc=pressers,dc=name" read by dn.exact="uid=ldap/mordor.pressers.name, cn=pressers.name,cn=gssapi,cn=auth" read by * break
Which I think ought to cover the permissions required pretty well. As you can see, they have identical permissions.
Also, I just noticed an error introduced by copy-paste in my last email. In both configs there is a floating "i" on the searchbase line. That "i" belongs at the end of "GSSAP" on the saslmech line.
Ok, well, without having your full configs available (minus passwords), one can only make guesses. ;)
I would start with binding as that ID using ldapwhoami, then move on to ldapsearch, etc, and verify all of that works as expected.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration