[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL (ITS#1079)

To: openldap-its@OpenLDAP.org
Subject: SASL (ITS#1079)
From: J.Campbell@bham.ac.uk
Date: Fri, 16 Mar 2001 16:37:09 GMT

Full_Name: Jim Campbell
Version: 2.0.7
OS: Solaris 2.6/8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (147.188.40.2)


What is the meaning of acl "self" when using SASL authorisation.
The matching rule seems to be trying UID={sasl id}+REALM={realm}!!
but shouldnt this be uid DN?
=> acl_mask: access to entry
"uid=samba,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
, attr "userPassword" requested
=> acl_mask: to value by
"UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=UK+
REALM=NPSMX", (=n) 
<= check a_dn_pat: cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: pattern:  cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: expanded: cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> regex_matches: string:  
UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=U
K+REALM=NPSMX
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: pattern: 
cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=
UK
=> string_expand: expanded:
cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=
UK
=> regex_matches: string:  
UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=U
K+REALM=NPSMX
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_dn_pat: *

(note that here because of vagaries of Solaris 8 CRAM_MD5 the SASL userid
 is the DN name "uid=samba,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" and I
  have modified code to allow this:
*** sasl.c      Thu Mar  1 16:48:43 2001
--- sasl.c.orig Thu Mar  1 16:47:10 2001
***************
*** 465,472 ****
                                        0, 0, 0);
  
                        } else if ( username[0] == 'u' && username[1] == ':'
!                               && username[2] != '\0')
!                         /*                            && strpbrk(
&username[2], "+=,;\"\\ \t") == NULL )*/
                        {
                                *edn = ch_malloc( sizeof( "uid= + realm=" )
                                        + strlen( &username[2] )
--- 465,472 ----
                                        0, 0, 0);
  
                        } else if ( username[0] == 'u' && username[1] == ':'
!                               && username[2] != '\0'
!                               && strpbrk( &username[2], "+=,;\"\\ \t") == NULL
)
                        {
                                *edn = ch_malloc( sizeof( "uid= + realm=" )
                                        + strlen( &username[2] )

as rfc 2829 says authzId = dnAuthzId/uAuthzId )

cheers
Jim

Prev by Date: Password change on slave slapd causes assertion failure
Next by Date: ldapsearch crashes under ldaps:// connections (ITS#1058)
Index(es):
- Chronological
- Thread