--- "Kurt D. Zeilenga" <[EMAIL PROTECTED]> wrote: > At 10:56 PM 6/30/2005, jay alvarez wrote: > >And as you've said... > > > >> As far as your question regarding "users", > >> slapd-access(5) > >> says: > >> The keyword users means access is granted to > >> authenticated clients. > > > >so, when I'm using sasl/gssapi for authentication, > it > >goes without saying that I'm already authenticated, > >right? > No. In fact, the client never even got far enough > to attempt a SASL/GSSAPI authentication exchange. > It failed trying to anonymously discover the SASL > mechanisms the server supports. > > What's with that "no more <who> clauses"?? > > It means that no <who> clause in your access > statement > matched the subject, anonymous. That is, users != > anonymous. Hence, the no access was allowed. > > You have two choices, either don't use LDAP's SASL > mechanism discovery mechanism, e.g., use > ldapsearch(1)'s > -Y to select what mechanism to use, or allow > anonymous > enough access to accomplish mechanism discovery, > e.g., > read access to (all or select portions of) the root > DSE. Ok, that explains it all. I guess that's why most of the access list examples available on the web starts with an access rule for dn="". Anyway, I tried them both and they both worked. I even investigated on debug.log and found some interesting difference on those three situations.
Thanks kurt! you're the best!! > > Kurt > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
