On 15/04/10 15:33 +0200, Giovanni Malfarà wrote:
In slapd (slapd -d -1) debug messages I get:
SASL [conn=7] Debug: DIGEST-MD5 server step 2
slap_sasl_getdn: u:id converted to
uid=test@xxxxxxxxxxxx,cn=DIGEST-MD5,cn=auth
dnNormalize: <uid=test@xxxxxxxxxxxx,cn=DIGEST-MD5,cn=auth>
<<< dnNormalize: <uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name
uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth to a DN
slap_authz_regexp: converting SASL name
uid=test@xxxxxxxxxxxx,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL [conn=7] Failure: no secret in database
I have a similar configuration to your's except that I use the authz-regexp
and authz-policy statements instead of what you have. I'm using version
2.4.15:
authz-regexp
"uid=([^,]+),cn=([^,]+),cn=auth"
ldap:///ou=people,dc=example,dc=net??one?(&(btcAltUid=$1)(!(btcAccountStatus=suspended)))
authz-policy to
(btcAltUID and btcAccountStatus are non-standard attributes)
This looks alarming:
access to * attrs=userPassword by self write by * write
I have (slightly modified):
access to
attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersionNumber,krb5Key
by anonymous auth
by self write
by * none
--
Dan White
