[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Auth access for search-based mappings?

To: Jaap Winius <jwinius@umrk.nl>
Subject: Re: Auth access for search-based mappings?
From: Howard Chu <hyc@symas.com>
Date: Fri, 15 Jan 2010 20:47:53 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <20100116051728.ujtrvfqpunkssscs@www.umrk.nl>
References: <20100115201454.pzmq2f727cow0o88@www.umrk.nl> <20100116051728.ujtrvfqpunkssscs@www.umrk.nl>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.3a1pre) Gecko/20091218 SeaMonkey/2.0a1pre Firefox/3.0.3

Jaap Winius wrote:
> Hi all,
> 
> My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got  
> person objects located in two different org. units and want to search  
> both of them for a potential match, so I included these two statements  
> in slapd.conf:
> 
>     authz-regexp
>        uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
>        ldap:///ou=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
> 
>     authz-regexp
>        uid=([^,].*),cn=example.com,cn=gssapi,cn=auth
>        ldap:///ou=bio,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
> 
> Unfortunately, it's not working as I hoped. If I have two test users,  
> uid=john in ou=eng and uid=pete ou=bio, then after first  
> authenticating them with the Kerberos kinit command, in this situation  
> a subsequent ldapwhoami command for each will give:
> 
>     dn:uid=john,ou=eng,dc=example,dc=com
>     dn:uid=pete,cn=example.com,cn=gssapi,cn=auth
> 
> The second result is, of course, completely useless. However, if I  
> change the order of two authz-regexp statements I get:
> 
>     dn:uid=john,cn=example.com,cn=gssapi,cn=auth
>     dn:uid=pete,ou=bio,dc=example,dc=com
> 
> Now the first result is useless. In other words, both authz-regexp  
> statements work, but the second statement is being ignored. Why? How  
> can I get slapd to also process the second authz-regexp statement?

You can't. As the slapd.conf(5) manpage states, the matching process stops at
the first rule that matches the incoming SASL name. If you want to use
multiple authz-regexp statements, they must each have unique "match" portions
because any duplicates will be ignored.

For your case, you need to come up with a single search specification that
will handle both branches of your search. One possible solution would be to
use entryDN in the filter:

ldap:///dc=example,dc=com??sub?
  (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com)
      (entryDN:dnSubtree:ou=bio,dc=example,dc=com))
    (uid=$1)(objectclass=person))

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Auth access for search-based mappings?
  - From: Howard Chu <hyc@symas.com>
- Re: Auth access for search-based mappings?
  - From: Jaap Winius <jwinius@umrk.nl>

References:
- Auth access for search-based mappings?
  - From: Jaap Winius <jwinius@umrk.nl>
- Re: Auth access for search-based mappings?
  - From: Jaap Winius <jwinius@umrk.nl>

Prev by Date: Re: Auth access for search-based mappings?
Next by Date: Re: Auth access for search-based mappings?
Index(es):
- Chronological
- Thread