[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3396) slapd crash during SASL Canonicalize

Its not crashing anymore but it doesn't seem to be properly converting
the principal either:

Nov 16 13:41:34 husky slapd[5285]: conn=4 op=3 BIND
authcid="digant@CEDAR.UTA.EDU"
Nov 16 13:41:34 husky slapd[5285]: conn=4 op=3 BIND
dn="uid=digant,cn=cedar.uta.edu,cn=gssapi,cn=auth" mech=GSSAPI ssf=56


On Tue, 2004-11-16 at 12:04, ando@sys-net.it wrote:
> >> sasl-secprops none
> >> sasl-realm "CEDAR.UTA.EDU"
> >> sasl-host husky.cedar.uta.edu
> >> sasl-regexp uid=service/nss/(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
> >> ldaps:///cn=$1,cn=nss,cn=services,dc=uta,dc=edu
> >> sasl-regexp uid=service/(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
> >> ldaps:///cn=$1,cn=services,dc=uta,dc=edu
> >> sasl-regexp uid=(.*),cn=CEDAR.UTA.EDU,cn=gssapi,cn=auth
> >> ldaps:///uid=$1,cn=accounts,dc=uta,dc=edu
> >
> > I think I've found the problem, which could be related to a bug in authz
> > mapping in slapd.  I'll fix it in a moment in HEAD; but it can be easily
> > worked around by changing your sasl-regexp directives.  Please try the
> > following and report the result:
> >
> > sasl-regexp "^uid=service/nss/(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
> >         "dn:cn=$1,cn=nss,cn=services,dc=uta,dc=edu"
> > sasl-regexp "^uid=service/(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
> >         "dn:cn=$1,cn=services,dc=uta,dc=edu"
> > sasl-regexp "^uid=(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
> >         "dn:uid=$1,cn=accounts,dc=uta,dc=edu"
> 
> Or, if for any reason you want the internal search to occur, use a
> complete filter definition in the URIs, i.e. something like
> 
> sasl-regexp "^uid=service/nss/(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
>         "ldap:///cn=$1,cn=nss,cn=services,dc=uta,dc=edu??base?(objectClass=*)"
> sasl-regexp "^uid=service/(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
>         "ldap:///cn=$1,cn=services,dc=uta,dc=edu??base?(objectClass=*)"
> sasl-regexp "^uid=(.*),cn=CEDAR\.UTA\.EDU,cn=gssapi,cn=auth$"
>         "ldap:///uid=$1,cn=accounts,dc=uta,dc=edu??base?(objectClass=*)"
> 
> p.