[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Auth access for search-based mappings?
Jaap Winius wrote:
> Quoting Howard Chu <hyc@symas.com>:
>
>> You can't. As the slapd.conf(5) manpage states, the matching process
>> stops at the first rule that matches the incoming SASL name. ...
>
> Okay. I saw that too, but confused the SASL name with the SASL user
> name. So, the first of my two authz-regexp statements was always a
> match, which stopped the process.
>
>> ... If you want to use multiple authz-regexp statements, they must
>> each have unique "match" portions because any duplicates will be ignored.
>
> And mine were duplicates, since the replacement pattern is not part of
> the match (search pattern).
>
>> For your case, you need to come up with a single search specification...
>
> Where can I find information on how to write LDAP URL search
> specifications?
> For example, RFC2255 doesn't say much about it (e.g. no mention of
> ampersand or pipe characters).
>
>> ... that will handle both branches of your search. One possible solution
>> would be to use entryDN in the filter:
>
> authz-regexp
> uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
> ldap:///dc=example,dc=com??sub?
> (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com)
> (entryDN:dnSubtree:=ou=bio,dc=example,dc=com))
> (uid=$1)(objectclass=person))
>
> Unfortunately, this doesn't work at all. Using ldapwhoami I now get:
>
> dn:uid=john,cn=example.com,cn=gssapi,cn=auth
> dn:uid=pete,cn=example.com,cn=gssapi,cn=auth
uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?
Ciao, Michael.