[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp trouble, help!



On 12/14/12Â03:26Â+0400, ÐÐÑÐÐÐÐ ÐÐÐÐÑÑÐÐ wrote:
Hi,

I have th following directive in the slapd.conf:


authz-regexp
    gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth
    ldapi:///ou=people,dc=local???(uidNumber=$2)

See slapd.conf(5).

'The  protocol  portion  of  the  URI  must  be  strictly  ldap.'

You should replace your 'ldapi' with 'ldap'. The search is actually
internal anyway.

but server is unable to fetch (slap_sasl2dn: Converted SASL name to <nothing>)

here is trace output (slapd -d 2177 -h "ldapi:/// ldaps:/// ldap:///";):

50ca62b8 >>> dnPrettyNormal: <>
50ca62b8 <<< dnPrettyNormal: <>, <>
50ca62b8 do_bind: dn () SASL mech EXTERNAL
50ca62b8 ==>slap_sasl2dn: converting SASL name
gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth to a DN
50ca62b8 ==> rewrite_context_apply [depth=1]
string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth'
50ca62b8 ==> rewrite_rule_apply
rule='gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth'
string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth'
[1 pass(es)]
50ca62b8 ==> rewrite_context_apply [depth=1]
res={0,'ldapi:///ou=people,dc=local??sub?(uidNumber=1000)'}
50ca62b8 slap_parseURI: parsing
ldapi:///ou=people,dc=local??sub?(uidNumber=1000)
ldap_url_parse_ext(ldapi:///ou=people,dc=local??sub?(uidNumber=1000))
50ca62b8 <==slap_sasl2dn: Converted SASL name to <nothing>
50ca62b8 SASL Authorize [conn=1001]:  proxy authorization allowed authzDN=""
50ca62b8 send_ldap_sasl: err=0 len=-1
50ca62b8 do_bind: SASL/EXTERNAL bind:
dn="gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth"
sasl_ssf=0
50ca62b8 send_ldap_response: msgid=1 tag=97 err=0

Direct sasl authz mapping works fine, but URI does not, what's wrong
with this stuff?

How I can check URI correctness for slapd or get tracing info from
ldap_url_parse_ext/slap_sasl2dn about why they returned nothing?

With wich access rights slapd does its internal query ? How to configure them ?

Also addressed in the manpage:

'Note that this search is subject to access controls.  Specifically, the
authentication identity must have "auth" access in the subject.'

--
Dan White