[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Required changes in 2.4.7 regarding ACLs when using authz-regexp?
Gavin Henry wrote:
Michael Ströder wrote:
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also
CVS RE24). I'm making use of authz-regexp to map user entries when
they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect.
This together used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL
debug log I've noticed that access to the search root database entry
(suffix) is requested. When I explicitly grant auth access to this
entry it works. But why is that needed? Was this an intended change?
Can you paste them?
I've prepared a simplified slapd.conf and a LDIF file (both
attached) for this particular migration issue.
Take note of this:
authz-regexp
"uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
"ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
[..]
access to
dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
by * auth
See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):
----------------------------- snip -----------------------------
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003" -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
SASL username: michael
SASL SSF: 128
SASL data security layer installed.
dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004" -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
m
----------------------------- snip -----------------------------
If I grant auth access to the database root entry
ou=authz-test,dc=stroeder,dc=local it works (see comment of this
particular ACL in attached slapd.conf). With RE23 it also works
without this ACL!
Ciao, Michael.
dn: ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: authz-test
dn: ou=Users,ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: Users
dn: uid=michael,ou=Users,ou=authz-test,dc=stroeder,dc=local
uid: michael
objectClass: account
objectClass: simpleSecurityObject
userpassword: testsecret
include /opt/openldap-RE24/etc/openldap/schema/core.schema
include /opt/openldap-RE24/etc/openldap/schema/cosine.schema
# Define global ACLs to disable default read access.
pidfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.pid
argsfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.args
modulepath /opt/openldap-RE24/libexec/openldap
moduleload back_hdb.la
authz-regexp
"uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
"ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
database hdb
suffix "ou=authz-test,dc=stroeder,dc=local"
directory /home/michael/temp/openldap-authzto-testbed/RE24/data
# Index-Konfiguration
index objectClass,uid eq
sizelimit -1
# User entries
# ------------------------
access
to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
by * auth
# Why the hell is this ACL needed for SASL Bind with authz-regexp with OpenLDAP 2.4?
access to dn.base="ou=authz-test,dc=stroeder,dc=local"
by * auth