[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authzTo [auf Viren überprüft]



> Hi!
>
> A user ck with
> #
> dn: employeeid=3,ou=here,ou=humans,o=foo
> [..]
> uid: ck
> #
> should be used as Cyrus IMAP user by ldapdb.
> I have a entry
> #
> dn: cn=human,ou=mgr,o=foo
> #
> with
> #
> [...]
> authzTo: ldap:///ou=humans,o=foo??sub?(uid=*)
>
> I added
> #
> sasl_ldapdb_id: cn=human,ou=mgr,o=foo
> #
> to imapd.conf and
> #
> authz-policy to
> authz-regexp uid=.*,cn=auth
> 	cn=human,ou=mgr,o=foo
> authz-regexp cn=human,ou=mgr,o=foo
> 	dn.subtree=cn=.*,ou=here,ou=humans,o=foo

^^^ this is incorrect; either use

        dn.subtree=ou=here,ou=humans,o=foo

or

        dn.regex="^cn=.+,ou=here,ou=humans,o=foo$"

> #
> to my slapd.conf.
>
> ACL for ou=humans,o=foo is
> #
> access to dn.subtree=ou=humans,o=foo
> 	by anonymous auth
> 	by users read
> access to dn.subtree=ou=humans,o=foo attrs=userpassword
> 	by self write
>
> Is does not work. User ck is not authenticated in ldap, I can't even
> find a try.
> There is BIND with DN: "" at first. Then a switch to
> cn=human,ou=mgr,o=foo (authcid=authzid="cn=human,ou=mgr,o=foo") and a
> search for the uid like defined in the authzTo-attribute.
> It ends up with
> "not authorized to assume identity".

I haven't checked the rest much closely, so there might be other issues.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497