[Date Prev][Date Next] [Chronological] [Thread] [Top]

sasl UID mapping



Hi,

I'm having problems with mapping of sasl authenticated users to DN's
with the RH openldap-servers-2.0.27-2.7.3 RPM. 

I have a user, paul@JAKMA.ORG (strangely enough), who is
authenticated via GSSAPI (works fine). I map the sasl DN to a user
with the following sasl-regexp's:

sasl-regexp
 uid="(.*),cn=jakma.org,cn=GSSAPI,cn=auth$"
# uid=$1,ou=people,dc=jakma,dc=org
 ldap://ou=people,dc=jakma,dc=org?dn?sub?krbName=$1@jakma.org
sasl-regexp
 uid="(.*),cn=GSSAPI,cn=auth$"
# uid=$1,ou=people,dc=jakma,dc=org
 ldap://ou=people,dc=jakma,dc=org?dn?sub?krbName=$1@jakma.org

In my ACLs I allow access to dn: uid=paul,ou=people,dc=jakma,dc=org 
via an LDAP admin group:

dn: cn=ldapadmins,ou=ldapgroups,dc=jakma,dc=org
objectClass: top
objectClass: groupofnames
cn: LDAP Administrators
cn: Directory Administrators
member: cn=manager,dc=jakma,dc=org
member: uid=paul,ou=people,dc=jakma,dc=org

The problem I'm having at the moment is that this group does not work 
because the ACLs are trying to match using 'by' of 'UID=PAUL':

Jan 11 22:52:02 hibernia slapd[29470]: => acl_mask: access to entry
"uid=[redacted],ou=People,dc=jakma, dc=org", attr "objectClass"  requested 
Jan 11 22:52:02 hibernia slapd[29470]: => acl_mask: to all
values by "UID=PAUL", (=n)  

So we get, eg:

Jan 11 22:26:41 hibernia slapd[28531]: => acl_mask: access to entry 
"uid=paul,ou=People,dc=jakma, dc=org", attr "roomNumber" requested 
Jan 11 22:26:41 hibernia slapd[28531]: => acl_mask: to value by 
"UID=PAUL", (=n)
Jan 11 22:26:41 hibernia slapd[28531]: => ldbm_back_group: found 
group: "CN=LDAPADMINS,OU=LDAPGROUPS,DC=JAKMA,DC=ORG" 
Jan 11 22:26:41 hibernia slapd[28531]: <= ldbm_back_group: found 
objectClass groupOfNames and member 
Jan 11 22:26:41 hibernia slapd[28531]: <= ldbm_back_group: "UID=PAUL" 
not in "CN=LDAPADMINS,OU=LDAPGROUPS,DC=JAKMA,DC=ORG": member 

Which is due to this ACL:

access to dn.regex=".*,ou=People,dc=jakma,dc=org$"
        by group.exact="cn=ldapadmins,ou=ldapgroups,dc=jakma,dc=org" write
        by self read
        by users read
        by dn.regex="cn=(.*),ou=hosts,dc=jakma,dc=org$" read
        by anonymous auth

Why is it using UID=PAUL for the 'by' value, when, I thought, it
should be using the fully qualified DN, not the UID attribute? I
tried using a sasl-regexp that specified the dn as attribute to
return (see above), but it made no difference.

Is this a known feature/bug in SASL binds? And how do i fix it other 
than by specifying 'uid=paul' in my groups (which seems a bit too 
loose, i specifically want dn: uid=paul,ou=people,dc=jakma,dc=org)?

I have DN's in the cn=(.*),ou=hosts,dc=jakma,dc=org$ using simple
authentication which are processed with the full DN in 'by' in ACLs
(nss_ldap), so is this a SASL mapping problem?

NB: i can post full config information later if needs be, if more 
information is needed.

thanks in advance.

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
We cannot do everything at once, but we can do something at once.
		-- Calvin Coolidge