[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Anonymously binding despite '-U ....' to ldapsearch
>>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
Howard> Judging from your ACLs, you're still using the old format
Howard> for SASL DNs. See the 2.1 Admin Guide for details on the
Howard> new SASL DN format.
Howard> In OpenLDAP 2.1.12, the SASL authorization DN is logged
Howard> with AUTHZ keyword instead of BIND. This inconsistency has
Howard> been fixed in 2.1.13, using BIND throughout. So, one of
Howard> the reasons you're not seeing the DN you expect is because
Howard> you're grepping for the wrong log message.
I found out that using:
----- s n i p -----
sasl-regexp
uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
uid=$1,ou=People,dc=bayour,dc=com
[...]
access to * by dn="uid=turbo,ou=People,dc=bayour,dc=com" write
----- s n i p -----
gave the attribute I was looking for. Now I come to the more
difficult one (I really _HATE_ regexp :). My users i are also
located under other branches than 'dc=bayour.com'. How would
I write an sasl-regexp that will catch this?
Example:
----- s n i p -----
dn: uid=malin,ou=People,dc=sundqvist,dc=com
access to '.*,dc=sundqvist,dc=com'
access to '.*,dc=fredriksson,dc=com'
access to '.*,dc=bayour,dc=com'
dn: uid=jonathan,ou=People,dc=intelligence-5,dc=com
access to '.*,dc=intelligence-5,dc=com'
dn: uid=jens,ou=People,dc=agby,dc=com
access to '.*,dc=agby,dc=com'
----- s n i p -----
The 'uid=XXX' is the same as the Kerberos principal/username so
that might help things...