[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: saslAuthz failing to *compare*
Edward Rudd wrote:
I running OpenLDAP 2.1.22 and setting up, well modifying my SASL proxy
Auth setup
I had a saslAuthzto entry of 'uid=.*,ou=People,o=MyOrg,c=US' and that
works, but now I'm restructuring things in my LDAP and needing a
saslAuthzTo entry of this 'uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US'
And that refuses to match...
the user DN is now like this.
'uid=test@nowhere.org,ou=Users,dc=nowhere,dc=org,ou=Domains,o=MyOrg,c=US'
Which should match (and does match with every other Regex engine, and in
the ACL tables them selves).
Any ideas? Have I found a bug?
You're kind of hitting a (well known) bug, i.e. the value
of saslAuthz{To|From} attributes is DN-normalized even if
it might be a regex; in detail, while
uid=.*,ou=People,o=MyOrg,c=US
passes a DN-normalization, because each RDN is well defined,
uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US
doesn't because the third AVA from the left, ".*", is not
a legal AVA (there is no "attributeType" "=", only a value
of ".*". This is fixed in subsequent 2.1/2.2 releases.
Note that in 2.2 all these ambiguous identity definitions
can be avoided by forcing the right interpretation. In your
case, you can use:
saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US
un general, it is good practice to prefi "dn:" or "u:" to
indicate if the identity is a DN or a userid; DNs allow
the modifiers "exact", "chidren", "subtree" and "regex".
I suggest you upgrade; a workaround could be to use
uid=.*,ou=Users,ou=.*,ou=Domains,o=MyOrg,c=US
^^^
note the "attributeType" "=" added; of course, you need
to add as many cases as are the expected attribute types.
p.
--
Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c. http://www.sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497