On 09.05.2016 13:31, Hallvard Breien Furuseth wrote:
On 09. mai 2016 09:00, Dora Paula wrote:
Dear List,
I've two subtrees that contain user-accounts: ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com.
Goal: Users below ou=userA,... should only be allowed to bind using sasl_bind, but not with simple_bind. Whereas users below ou=usersB,... should be allowed to bind using both (or any kind of bind).
Simple Bind uses anonymous auth (=x) access to userPassword. Does your SASL setup use userPassword? If not, or if userPassword for SASL look like {foo}something but other passwords do not, use can use something like
olcAccess: to attrs=userPassword dn.children="ou=usersB,..." by anonymous =x by self =w # just reject passwords outside usersB. If you need something else, # may add val.regex=^[{]SASL[}] or whatever, see man slapd.access(5) olcAccess: to attrs=userPassword by * none
Hallvard,
unfortunately, I think I had been glad already too early:
I use locally (in slapd) stored passwords (using the userPassword attribute, mainly to be able to ldapmodify them, and of course plain text to allow DIGEST-MD5 to work).
If I understand the admin guide correct, adding {SASL} always activates passthru authentication (e.g. saslauthd). If not, could you please go into more detail regarding your idea? Is it possible to pass-thru-back-to-slapd?
Thanks again.