[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authzTo [auf Viren überprüft]

To: Hans Moser <hans.moser@ofd-sth.niedersachsen.de>
Subject: Re: authzTo [auf Viren überprüft]
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 06 Aug 2005 01:00:41 +0200
Cc: Openldap list <openldap-software@OpenLDAP.org>
In-reply-to: <42F34DF3.9050604@ofd-sth.niedersachsen.de>
References: <42F22B31.70104@ofd-sth.niedersachsen.de> <38669.131.175.154.56.1123168634.squirrel@131.175.154.56> <42F34DF3.9050604@ofd-sth.niedersachsen.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 CentOS/1.7.8-1.1.3.1.centos3

Hans Moser wrote:

Pierangelo Masarati schrieb am 04.08.2005 17:17:
authz-policy to
authz-regexp uid=.*,cn=auth
    cn=human,ou=mgr,o=foo
authz-regexp cn=human,ou=mgr,o=foo
    dn.subtree=cn=.*,ou=here,ou=humans,o=foo
^^^ this is incorrect; either use
I corrected this to:
authz-policy to
authz-regexp uid=human,cn=plain,cn=auth
    cn=human,ou=mgr,o=foo
authz-regexp uid=([^,]*,cn=plain,cn=auth
    "ldap:///ou=here,ou=humans,o=foo??sub?(uid=$1)"
I don't recognized, that not only sasl_ldapdb_id is converted but also the imapd-userid. Now the two ids are converted correctly (checked with -d 1 output).
Now slapd stucks while doing the authzTo rule checking:
slap_sasl_check_authz: does employeeNumber=2,ou=here,ou=humans,o=foo match authzTo rule in cn=human,ou=mgr,o=foo? [...] slap_sasl_check_authz: authzTo check returning 50 slap_sasl_authorized: return 48 SASL PROXY AUTHORIZE [conn=0]: proxy authorization disallowed (48) SASL [conn=0] Failure: not authorized
authzTo-attribute of cn=human,ou=mgr,o=foo is
authzTo: dn.subtree="ou=humans,o=foo"


Looks like I gave you partially incorrect advice; should be

authzTo: dn.subtree:ou=humans,o=foo

note the colon after "subtree".


In slapd.conf:
authz-regexp "cn=human,ou=mgr,o=foo"
    dn.subtree="ou=humans,o=foo"

In what state is the connection?
What ACL settings are required? Must authzTo really be readable by *?


AFAIR authz{To,From} should have AUTH access to be used in authorization.

When I do this, I goes one step further:
slap_sasl_match: comparing DN employeeNumber=2,ou=here,ou=humans,o=foo to rule dn.subtree="ou=humans,o=foo" slap_parseURI: parsing dn.subtree="ou=humans,o=foo" slap_sasl_match: comparison returned 2


See above; "2" means protocolError (because of the incorrect syntax).

slap_sasl_check_authz: authzTo check returning 2
slap_sasl_authorized: return 48
SASL PROXY AUTHORIZE [conn=0]: proxy authorization disallowed (48)
SASL [conn=0] Failure: not authorized

Where is the cause for the "Insufficient access" problem here?

On a side note, I think we should define a "authz" syntax so that when this data gets written in the directory it gets validated (and possibly normalized) and errors can be noticed in advance. This would also save a lot of normalizations when data is used.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- authzTo [auf Viren überprüft]
  - From: Hans Moser <hans.moser@ofd-sth.niedersachsen.de>
- Re: authzTo [auf Viren überprüft]
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: authzTo [auf Viren überprüft]
  - From: Hans Moser <hans.moser@ofd-sth.niedersachsen.de>

Prev by Date: Re: Plugin configuration problem
Next by Date: Re: openldap 2.2.17 and SSL
Index(es):
- Chronological
- Thread