[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's for SASL compat.



ok,

	I have a trace of what happens below, it seems that the authorization
DN is only "testuser" and not "uid=testuser+realm=schoenberg" so if put
in:

access to dn="(uid=[a-zA-Z1-9]+),portalId=ADBE,ou=People,o=RedGorilla"
        by dn="testuser" write
        by dn="uid=[a-zA-Z1-9]+\+realm=SCHOENBERG" read

it works....

so the problem must be with the way I call ldapmodify:

/usr/local/bin/ldapmodify  -Y DIGEST-MD5 -D "uid=testuser +
realm=schoenberg" -vvv -U testuser -W -f /tmp/modify.ldif

I have tried to use the -I option to specify an authorization id but it
just fails to authenticate me in that case. 

Trace at bottom.


"Kurt D. Zeilenga" wrote:
> >
> >yes I used SASL binding, sorry if I was not clear,  it does not work. I meant are there any
> >alternate way's to specify the ACL that would have the same effect. It does work with simple
> >binding.
> 
> The authorization DN produced by the SASL code depends upon
> configuration, mechanisms used, etc..   Look at your logs
> (with TRACE enabled) and you'll see messages reporting the
> authorization DN:
>   <== slap_sasl_bind: authzdn: "uid=kurt@OPENLDAP.ORG"
> or
>   <== slap_sasl_bind: authzdn: "uid=kurt + realm=OPENLDAP.ORG"
> 
> Then write regex's to match the normalized (s/ \+ /+/) DN.
>   access to dn="(uid=[:alnum:]),dc=OpenLDAP,dc=Org"
>     by dn="$1(\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" write
>     by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
>   access to *
>     by dn="uid=[:alnum:](\@OPENLDAP\.ORG|\+realm=OPENLDAP\.ORG)" read
> 
> (the above may contain typos or other minor errors as I only
> ran this through my built in, buggy regex parser).Oct  4 14:41:41 schoenberg slapd[2317]: slapd starting 
Oct  4 14:42:04 schoenberg slapd[2319]: connection_get(9) 
Oct  4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=DIGEST-MD5 datalen=0 
Oct  4 14:42:04 schoenberg slapd[2319]: connection_get(9) 
Oct  4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=<continuing> datalen=299 
Oct  4 14:42:04 schoenberg slapd[2319]: connection_get(9) 
Oct  4 14:42:04 schoenberg slapd[2321]: ==> sasl_bind: dn="uid=testuser
+ realm=schoenberg" mech=<continuing> datalen=0 
Oct  4 14:42:04 schoenberg slapd[2321]: SASL Authorize [conn=0]:
authcid="testuser" authzid="testuser" 
Oct  4 14:42:04 schoenberg slapd[2319]: connection_get(9) 
Oct  4 14:42:04 schoenberg slapd[2321]: do_modify: dn
(uid=testuser,portalId=ADBE,ou=People,o=RedGorilla) 
Oct  4 14:42:04 schoenberg slapd[2321]: modifications: 
Oct  4 14:42:04 schoenberg slapd[2321]: ^Ireplace: sn 
Oct  4 14:42:04 schoenberg slapd[2321]: ldbm_cache_open (blksize 4096)
(maxids 1022) (maxindirect 9) 
Oct  4 14:42:04 schoenberg slapd[2321]: ldbm_cache_open (blksize 4096)
(maxids 1022) (maxindirect 9) 
Oct  4 14:42:04 schoenberg slapd[2321]: entry_rdwr_rlock: ID: 13 
Oct  4 14:42:04 schoenberg slapd[2321]: entry_rdwr_runlock: ID: 13 
Oct  4 14:42:04 schoenberg slapd[2321]: ldbm_back_modify: 
Oct  4 14:42:04 schoenberg slapd[2321]: entry_rdwr_wtrylock: ID: 13 
Oct  4 14:42:04 schoenberg slapd[2321]: send_ldap_result: 50:: 
Oct  4 14:42:04 schoenberg slapd[2321]: entry_rdwr_wunlock: ID: 13 

	cheers,

	-Marc