Hi, after upgrading our openldap server to the most current version, I'm having bad troubles with saslAuthzTo and regular expressions. Previously the following attribute setting for saslAuthzTo was working: saslAuthzTo: uid=.*,ou=MailCustomers,dc=bestsolution,dc=at It essentially allows specific users to become any other MailCustomer. Now slapd cannot deal with uid=.* any longer, here's what it says when enabling debugging after a ldapwhoami: ---------CUT---------- ==>slap_sasl_authorized: can uid=dovecot,ou=systemusers,dc=bestsolution,dc=at become uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at? ==>slap_sasl_check_authz: does uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at match saslAuthzTo rule in uid=dovecot,ou=systemusers,dc=bestsolution,dc=at? => bdb_entry_get: ndn: "uid=dovecot,ou=systemusers,dc=bestsolution,dc=at" => bdb_entry_get: oc: "(null)", at: "saslAuthzTo" bdb_dn2entry("uid=dovecot,ou=systemusers,dc=bestsolution,dc=at") bdb_entry_get: rc=0 [...] ===>slap_sasl_match: comparing DN uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at to rule uid=.*,ou=MailCustomers,dc=bestsolution,dc=at slap_parseURI: parsing uid=.*,ou=MailCustomers,dc=bestsolution,dc=at ldap_url_parse_ext(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at) >>> dnNormalize: <uid=.*,ou=MailCustomers,dc=bestsolution,dc=at> => ldap_bv2dn(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at,0) ldap_err2string <= ldap_bv2dn(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at)=0 Success => ldap_dn2bv(272) ldap_err2string <= ldap_dn2bv(uid=.*,ou=mailcustomers,dc=bestsolution,dc=at)=0 Success <<< dnNormalize: <uid=.*,ou=mailcustomers,dc=bestsolution,dc=at> <===slap_sasl_match: comparison returned 48 <==slap_sasl_check_authz: saslAuthzTo check returning 48 <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=60]: proxy authorization disallowed (48) SASL [conn=60] Failure: not authorized ---------CUT---------- I also tried to change the value to saslAuthzTo: dn.regexp: uid=.*,ou=MailCustomers,dc=bestsolution,dc=at but that again failed: ---------CUT---------- bdb_dn2entry("uid=dovecot,ou=systemusers,dc=bestsolution,dc=at") bdb_entry_get: rc=0 [...] ===>slap_sasl_match: comparing DN uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at to rule dn.regexp:uid=.*,ou=MailCustomers,dc=bestsolution,dc=at slap_parseURI: parsing dn.regexp:uid=.*,ou=MailCustomers,dc=bestsolution,dc=at <===slap_sasl_match: comparison returned 2 <==slap_sasl_check_authz: saslAuthzTo check returning 48 <== slap_sasl_authorized: return 48 SASL Proxy Authorize [conn=62]: proxy authorization disallowed (48) SASL [conn=62] Failure: not authorized ---------CUT---------- It works, if I drop the wildcard and specify the dn explicitly: saslAuthzTo: uid=fred,ou=MailCustomers,dc=bestsolution,dc=at So did something change or am I wrong or is this just an ordinary bad monday ... thanks in advance Udo Rader BestSolution.at GmbH http://www.bestsolution.at
Attachment:
signature.asc
Description: This is a digitally signed message part