[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
sasl UID mapping
Hi,
I'm having problems with mapping of sasl authenticated users to DN's
with the RH openldap-servers-2.0.27-2.7.3 RPM.
I have a user, paul@JAKMA.ORG (strangely enough), who is
authenticated via GSSAPI (works fine). I map the sasl DN to a user
with the following sasl-regexp's:
sasl-regexp
uid="(.*),cn=jakma.org,cn=GSSAPI,cn=auth$"
# uid=$1,ou=people,dc=jakma,dc=org
ldap://ou=people,dc=jakma,dc=org?dn?sub?krbName=$1@jakma.org
sasl-regexp
uid="(.*),cn=GSSAPI,cn=auth$"
# uid=$1,ou=people,dc=jakma,dc=org
ldap://ou=people,dc=jakma,dc=org?dn?sub?krbName=$1@jakma.org
In my ACLs I allow access to dn: uid=paul,ou=people,dc=jakma,dc=org
via an LDAP admin group:
dn: cn=ldapadmins,ou=ldapgroups,dc=jakma,dc=org
objectClass: top
objectClass: groupofnames
cn: LDAP Administrators
cn: Directory Administrators
member: cn=manager,dc=jakma,dc=org
member: uid=paul,ou=people,dc=jakma,dc=org
The problem I'm having at the moment is that this group does not work
because the ACLs are trying to match using 'by' of 'UID=PAUL':
Jan 11 22:52:02 hibernia slapd[29470]: => acl_mask: access to entry
"uid=[redacted],ou=People,dc=jakma, dc=org", attr "objectClass" requested
Jan 11 22:52:02 hibernia slapd[29470]: => acl_mask: to all
values by "UID=PAUL", (=n)
So we get, eg:
Jan 11 22:26:41 hibernia slapd[28531]: => acl_mask: access to entry
"uid=paul,ou=People,dc=jakma, dc=org", attr "roomNumber" requested
Jan 11 22:26:41 hibernia slapd[28531]: => acl_mask: to value by
"UID=PAUL", (=n)
Jan 11 22:26:41 hibernia slapd[28531]: => ldbm_back_group: found
group: "CN=LDAPADMINS,OU=LDAPGROUPS,DC=JAKMA,DC=ORG"
Jan 11 22:26:41 hibernia slapd[28531]: <= ldbm_back_group: found
objectClass groupOfNames and member
Jan 11 22:26:41 hibernia slapd[28531]: <= ldbm_back_group: "UID=PAUL"
not in "CN=LDAPADMINS,OU=LDAPGROUPS,DC=JAKMA,DC=ORG": member
Which is due to this ACL:
access to dn.regex=".*,ou=People,dc=jakma,dc=org$"
by group.exact="cn=ldapadmins,ou=ldapgroups,dc=jakma,dc=org" write
by self read
by users read
by dn.regex="cn=(.*),ou=hosts,dc=jakma,dc=org$" read
by anonymous auth
Why is it using UID=PAUL for the 'by' value, when, I thought, it
should be using the fully qualified DN, not the UID attribute? I
tried using a sasl-regexp that specified the dn as attribute to
return (see above), but it made no difference.
Is this a known feature/bug in SASL binds? And how do i fix it other
than by specifying 'uid=paul' in my groups (which seems a bit too
loose, i specifically want dn: uid=paul,ou=people,dc=jakma,dc=org)?
I have DN's in the cn=(.*),ou=hosts,dc=jakma,dc=org$ using simple
authentication which are processed with the full DN in 'by' in ACLs
(nss_ldap), so is this a SASL mapping problem?
NB: i can post full config information later if needs be, if more
information is needed.
thanks in advance.
regards,
--
Paul Jakma paul@clubi.ie paul@jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam@dishone.st
Fortune:
We cannot do everything at once, but we can do something at once.
-- Calvin Coolidge