[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's for SASL compat.
ok,
I have a trace of what happens below, it seems that the authorization
DN is only "testuser" and not "uid=testuser+realm=schoenberg" so if put
in:
access to dn="(uid=[a-zA-Z1-9]+),portalId=ADBE,ou=People,o=RedGorilla"
by dn="testuser" write
by dn="uid=[a-zA-Z1-9]+\+realm=SCHOENBERG" read
it works....
so the problem must be with the way I call ldapmodify:
/usr/local/bin/ldapmodify -Y DIGEST-MD5 -D "uid=testuser +
realm=schoenberg" -vvv -U testuser -W -f /tmp/modify.ldif
I have tried to use the -I option to specify an authorization id but it
just fails to authenticate me in that case.
Trace at bottom.
"Kurt D. Zeilenga" wrote:
> >
> >yes I used SASL binding, sorry if I was not clear, it does not work. I meant are there any
> >alternate way's to specify the ACL that would have the same effect. It does work with simple
> >binding.
>
> The authorization DN produced by the SASL code depends upon
> configuration, mechanisms used, etc.. Look at your logs
> (with TRACE enabled) and you'll see messages reporting the
> authorization DN:
> <== slap_sasl_bind: authzdn: "uid=kurt@OPENLDAP.ORG"
> or
> <== slap_sasl_bind: authzdn: "uid=kurt + realm=OPENLDAP.ORG"
>
> Then write regex's to match the normalized (s/ \+ /+/) DN.
> access to dn="(uid=[:alnum:]),dc=OpenLDAP,dc=Org"
> by dn="$1(\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" write
> by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
> access to *
> by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
>
> (the above may contain typos or other minor errors as I only
> ran this through my built in, buggy regex parser).Oct 4 14:41:41 schoenberg slapd[2317]: slapd starting
Oct 4 14:42:04 schoenberg slapd[2319]: connection_get(9)
Oct 4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=DIGEST-MD5 datalen=0
Oct 4 14:42:04 schoenberg slapd[2319]: connection_get(9)
Oct 4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=<continuing> datalen=299
Oct 4 14:42:04 schoenberg slapd[2319]: connection_get(9)
Oct 4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=<continuing> datalen=0
Oct 4 14:42:04 schoenberg slapd[2321]: SASL Authorize [conn=0]:
authcid="testuser" authzid="testuser"
Oct 4 14:42:04 schoenberg slapd[2319]: connection_get(9)
Oct 4 14:42:04 schoenberg slapd[2321]: do_modify: dn
(uid=testuser,portalId=ADBE,ou=People,o=RedGorilla)
Oct 4 14:42:04 schoenberg slapd[2321]: modifications:
Oct 4 14:42:04 schoenberg slapd[2321]: ^Ireplace: sn
Oct 4 14:42:04 schoenberg slapd[2321]: ldbm_cache_open (blksize 4096)
(maxids 1022) (maxindirect 9)
Oct 4 14:42:04 schoenberg slapd[2321]: ldbm_cache_open (blksize 4096)
(maxids 1022) (maxindirect 9)
Oct 4 14:42:04 schoenberg slapd[2321]: entry_rdwr_rlock: ID: 13
Oct 4 14:42:04 schoenberg slapd[2321]: entry_rdwr_runlock: ID: 13
Oct 4 14:42:04 schoenberg slapd[2321]: ldbm_back_modify:
Oct 4 14:42:04 schoenberg slapd[2321]: entry_rdwr_wtrylock: ID: 13
Oct 4 14:42:04 schoenberg slapd[2321]: send_ldap_result: 50::
Oct 4 14:42:04 schoenberg slapd[2321]: entry_rdwr_wunlock: ID: 13
cheers,
-Marc