At 10:56 PM 6/30/2005, jay alvarez wrote: >And as you've said... > >> As far as your question regarding "users", >> slapd-access(5) >> says: >> The keyword users means access is granted to >> authenticated clients. > >so, when I'm using sasl/gssapi for authentication, it >goes without saying that I'm already authenticated, >right?
No. In fact, the client never even got far enough to attempt a SASL/GSSAPI authentication exchange. It failed trying to anonymously discover the SASL mechanisms the server supports. > What's with that "no more <who> clauses"?? It means that no <who> clause in your access statement matched the subject, anonymous. That is, users != anonymous. Hence, the no access was allowed. You have two choices, either don't use LDAP's SASL mechanism discovery mechanism, e.g., use ldapsearch(1)'s -Y to select what mechanism to use, or allow anonymous enough access to accomplish mechanism discovery, e.g., read access to (all or select portions of) the root DSE. Kurt
