>>Finally, Birger, what's "really creative" about >> >> by self write >> by anonymous auth >> by * none >> >>? > > So how do we get these toys together if one > > 1. is going to protect user information based on "by self write" - you > first have to see what "self" is! - and > > 2. has, to faciliate 1., authenticate someone based on user information > > which will always result in a request loop?
Umm, I don't know whether what you said went completely over my head or whether what I said went completely over your head. The ACLs that I wrote are literal (the characters s-e-l-f appear in slapd.conf) and work as advertised. When you bind to LDAP, you specify your dn and userPassword. That tells ldap who "self" is, and if the userPassword matches, it believes you. No "request loop" occurs. End of story. Of course, in this non-SASL scenario, you loose flexibility in the ways you can authenticate yourself to the LDAP server. But someone using this scenario has already bought the philosophy that the LDAP server will be the password store, so he hasn't lost anyting. (Anyone wanting an even more serious security backend could use Kerberos without SASL, too.) Once you accept LDAP as a backend, you can use a security layer (e.g. SASL or PAM) to allow other applications to authenticate off it.
