[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz failing to *compare*



Edward Rudd wrote:
I running OpenLDAP 2.1.22 and setting up, well modifying my SASL proxy
Auth setup
I had a saslAuthzto entry of 'uid=.*,ou=People,o=MyOrg,c=US' and that
works, but now I'm restructuring things in my LDAP and needing a
saslAuthzTo entry of this 'uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US'
And that refuses to match...
the user DN is now like this.
'uid=test@nowhere.org,ou=Users,dc=nowhere,dc=org,ou=Domains,o=MyOrg,c=US'
Which should match (and does match with every other Regex engine, and in
the ACL tables them selves).
Any ideas? Have I found a bug?

You're kind of hitting a (well known) bug, i.e. the value of saslAuthz{To|From} attributes is DN-normalized even if it might be a regex; in detail, while

	uid=.*,ou=People,o=MyOrg,c=US

passes a DN-normalization, because each RDN is well defined,

	uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

doesn't because the third AVA from the left, ".*", is not
a legal AVA (there is no "attributeType" "=", only a value
of ".*".  This is fixed in subsequent 2.1/2.2 releases.
Note that in 2.2 all these ambiguous identity definitions
can be avoided by forcing the right interpretation.  In your
case, you can use:

saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

un general, it is good practice to prefi "dn:" or "u:" to
indicate if the identity is a DN or a userid; DNs allow
the modifiers "exact", "chidren", "subtree" and "regex".

I suggest you upgrade; a workaround could be to use

uid=.*,ou=Users,ou=.*,ou=Domains,o=MyOrg,c=US

                ^^^
note the "attributeType" "=" added; of course, you need
to add as many cases as are the expected attribute types.

p.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497