David Wright schrieb am Wed, Apr 10, 2002 at 01:41:39AM -0700: > > >>Finally, Birger, what's "really creative" about > >> > >> by self write > >> by anonymous auth > >> by * none > >> > >>? > > > >So how do we get these toys together if one > > > > 1. is going to protect user information based on "by self write" - you > > first have to see what "self" is! - and > > > > 2. has, to faciliate 1., authenticate someone based on user information > > > >which will always result in a request loop? > > Umm, I don't know whether what you said went completely over my head or > whether what I said went completely over your head. > > The ACLs that I wrote are literal (the characters s-e-l-f appear in > slapd.conf) and work as advertised. When you bind to LDAP, you specify > your dn and userPassword. That tells ldap who "self" is, and if the > userPassword matches, it believes you. No "request loop" occurs. End of > story.
I know the "self" in LDAP, I said I do it myself same way. What I spoke of is the scenario where LDAP authenticates binds with SASL, so "self" has still to be determined by the LDAP server within this process. It requests SASL to validate "self" (i.e. the "dn" that represents it) which will ask the LDAP which will ask SASL which will ask LDAP which will... You see? Iff you want to protect authenticated binds to our LDAP with an authentication mechanism facility like SASL and SASL has to get user information out of LDAP to do its task, you have a problem. Regards, Birger
