[Date Prev][Date Next] [Chronological] [Thread] [Top]

SOLVED (was Re: SASL secrets in LDAP (I did review the archive on this...))



Hi List-

Turns out the problem was with my sasl-regexp statement, combined with
an option that I thought I wanted but really didn't.  I guess that some
sleep helped the process...

I set loglevel in /etc/openldap/slapd.conf to a big number and the
commandline options for starting slapd to "-d 255" and watched the
interaction take place on stderr and used that to figure out the
problem.

The problem was that the slapd.conf file had the option:
sasl-realm      GNOSYS.US

and so slapd was putting that realm in every query.  I was thinking that
I could use this option as a default value for a realm to be used when
none was specified (sorta like the defaultdomain in cyrus imapd while
still accepting other virtual domains) and that I could replace it with
another realm by specifying that realm as a domain.  Perhaps I can, but
what I had in place was obviously not doing that for me.

But this leaves me wondering...

The sasl-regexp that worked was this:

sasl-regexp uid=(.*),cn=digest-md5,cn=auth
ldap:///ou=people,dc=asciolla,dc=com??sub?(mail=$1)

so the whole email address (say, userone@asciolla.com) is being read in
as the uid and made available on the right-hand side as variable $1, no
realm is specified by the slapd.conf file so there's no cn=realm.name
(any way to specify that using the commandline query tools?), and since
I was specifying DIGEST-MD5 on the command line for authentication with
the query, the rest matches.

So if my understanding is correct, this gets converted to an ldap URI
and since the ou and dc components are hard-coded in that URI, the
substituted variable gives me "mail=userone@asciolla.com" at the end of
the URI and this matches one of the DNs in the directory, in particular,
"dn: mail=userone@asciolla.com, ou=people, dc=asciolla, dc=com".

But now I'm wondering about a general sasl-regexp that would start with
the email address (in this case, "userone@asciolla.com") and break it
into username (in this case, "userone") as one variable ("$1"), first
domain component ("asciolla") as another ("$2"), and second domain
component ("com") as a third variable ("$3") to give me a generalized
regular expression that I could use to create an ldap search expression
that I could use to search through the directory with many virtual
domains, but where I wouldn't need to hard-code the domain components of
each virtual domain in the search expression as I did here.

I'm sure that by studying the docs for regular expressions I can come up
with such a regexp, but my question is about whether or not this is
advisable given my intended uses.  Perhaps I'd be creating some
potential vulnerability in the authentication system by making such a
generalized sasl-regexp.

BTW, are the regular expressions of sasl-regexp PCREs or one of the
other flavors of REs?  man 5 slapd.conf doesn't say, and writing REs is
difficult enough for me when I know which flavor of RE I'm trying to
compose.  If possible, I'd rather not be forced to debug several
possible RE flavors through the process of authentication with slapd -d
255 and loglevel 2048.

Anyway, I hope my solution here helps someone, and I would welcome any
thoughts on these other questions about RE flavor and advisability.

TIA.

--
Kevin
http://www.gnosys.us