[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized
> Thanks for your input. I compiled and installed openldap-2.1.30 and
> changed the uid admin from saslAuthzTo:
> dn.regex:uid=.*,ou=people,dc=cpc to
> ldap:///ou=people,dc=cpc??sub?(objectclass=Person) (as in doco
> http://www.billy.demon.nl/ ) and it works. To be honest I didn't/don't
> really understand how it works and why it wasn't working from the
> replies below but I am happy anyway.
I'm afraid this is exploiting a "feature" of authz code that is going to
change in future (2.2, at least) releases. For those who are going to use
2.2 I strongly suggest the dn.regex style syntax is used to avoid later
problems. The code as is in 2.1 and early 2.2 allows ldap:// authz
strings to return multiple candidates, while, for consistency with
authz-regexp (formerly sasl-regexp) rules, the ldap:// form will be
required to match exactly one DN.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497