[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: sasl-regexp problems in 2.1.22 (bug found in servers/slapd/saslauthz.c:slap_parseURI())
Quoting Dieter Kluenter <dieter@dkluenter.de>:
> Why do you want to use krb5PrincipalName? Is there a particular
> reason?
> My saslRegexp maps uid to krb5 pricipal.
You (must!?) be using the 'uid' attribute in your object(s). I don't.
The only thing that's unique, and usable is the krb5PrincipalName.
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
> saslRegexp
> uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
> ldap:///o=avci,c=de??sub?uid=$1
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
>
> -.-.-.-.-.-.-.-.-.-.-.-.-.
> dieter@marin:~> ldapwhoami
> SASL/GSSAPI authentication started
> SASL username: dieter@AVCI.DE
> SASL SSF: 56
> SASL installing layers
> dn:cn=dieter kluenter,ou=partner,o=avci,c=de
> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
The problem in my case is the 'host' part of the URI. This is
not allowed according to the reply to a ITS i submitted. Without
the host part, it works fine!
----- s n i p -----
sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
ldap:///c=SE??sub?(krb5PrincipalName=$1@BAYOUR.COM)
[tuzjfi.tty2]$ ldapwhoami -h localhost
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL installing layers
dn:cn=turbo fredriksson,ou=people,o=fredriksson,c=se
----- s n i p -----
Unfortunatly, I can't use the second regexp variable ($2) here, because
it's lowercase'd internally and realms is/should be uppercase'd... This
should be configurable (is it, and I haven't found it? :)
Also, I can't use multiple root DN's (namingContexts) without writing
multiple sasl-regexp's. That's just a minor nitpick, because I have
to update the config when adding a backend, so I could just as well
add the new sasl-regexp at the same time...