Re: saslAuthz failing to *compare*

[Pierangelo Masarati <ando@sys-net.it>]

Edward Rudd wrote:
> I running OpenLDAP 2.1.22 and setting up, well modifying my SASL proxy
> Auth setup
> I had a saslAuthzto entry of 'uid=.*,ou=People,o=MyOrg,c=US' and that
> works, but now I'm restructuring things in my LDAP and needing a
> saslAuthzTo entry of this 'uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US'
> And that refuses to match...
> the user DN is now like this.
> 'uid=test@nowhere.org,ou=Users,dc=nowhere,dc=org,ou=Domains,o=MyOrg,c=US'
> Which should match (and does match with every other Regex engine, and in
> the ACL tables them selves).
> Any ideas? Have I found a bug?

You're kind of hitting a (well known) bug, i.e. the value
of saslAuthz{To|From} attributes is DN-normalized even if
it might be a regex; in detail, while

	uid=.*,ou=People,o=MyOrg,c=US

passes a DN-normalization, because each RDN is well defined,

	uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

doesn't because the third AVA from the left, ".*", is not
a legal AVA (there is no "attributeType" "=", only a value
of ".*".  This is fixed in subsequent 2.1/2.2 releases.
Note that in 2.2 all these ambiguous identity definitions
can be avoided by forcing the right interpretation.  In your
case, you can use:

saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

un general, it is good practice to prefi "dn:" or "u:" to
indicate if the identity is a DN or a userid; DNs allow
the modifiers "exact", "chidren", "subtree" and "regex".

I suggest you upgrade; a workaround could be to use

uid=.*,ou=Users,ou=.*,ou=Domains,o=MyOrg,c=US

                ^^^
note the "attributeType" "=" added; of course, you need
to add as many cases as are the expected attribute types.

p.

--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497