Re: authzTo [auf Viren überprüft]

[Hans Moser <hans.moser@ofd-sth.niedersachsen.de>]

Pierangelo Masarati schrieb am 04.08.2005 17:17:
> > authz-policy to
> > authz-regexp uid=.*,cn=auth
> > 	cn=human,ou=mgr,o=foo
> > authz-regexp cn=human,ou=mgr,o=foo
> > 	dn.subtree=cn=.*,ou=here,ou=humans,o=foo
> ^^^ this is incorrect; either use

I corrected this to:
authz-policy to
authz-regexp uid=human,cn=plain,cn=auth
	cn=human,ou=mgr,o=foo
authz-regexp uid=([^,]*,cn=plain,cn=auth
	"ldap:///ou=here,ou=humans,o=foo??sub?(uid=$1)"

I don't recognized, that not only sasl_ldapdb_id is converted but also 
the imapd-userid.
Now the two ids are converted correctly (checked with -d 1 output).

Now slapd stucks while doing the authzTo rule checking:

slap_sasl_check_authz: does employeeNumber=2,ou=here,ou=humans,o=foo 
match authzTo rule in cn=human,ou=mgr,o=foo?
[...]
slap_sasl_check_authz: authzTo check returning 50
slap_sasl_authorized: return 48
SASL PROXY AUTHORIZE [conn=0]: proxy authorization disallowed (48)
SASL [conn=0] Failure: not authorized

authzTo-attribute of cn=human,ou=mgr,o=foo is
authzTo: dn.subtree="ou=humans,o=foo"

In slapd.conf:
authz-regexp "cn=human,ou=mgr,o=foo"
	dn.subtree="ou=humans,o=foo"

In what state is the connection?
What ACL settings are required? Must authzTo really be readable by *?
When I do this, I goes one step further:

slap_sasl_match: comparing DN employeeNumber=2,ou=here,ou=humans,o=foo 
to rule dn.subtree="ou=humans,o=foo"
slap_parseURI: parsing dn.subtree="ou=humans,o=foo"
slap_sasl_match: comparison returned 2
slap_sasl_check_authz: authzTo check returning 2
slap_sasl_authorized: return 48
SASL PROXY AUTHORIZE [conn=0]: proxy authorization disallowed (48)
SASL [conn=0] Failure: not authorized

Where is the cause for the "Insufficient access" problem here?


Hans