[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: multiple sasl-regexp lines not supported (ITS#1968)

To: openldap-its@OpenLDAP.org
Subject: RE: multiple sasl-regexp lines not supported (ITS#1968)
From: hyc@highlandsun.com
Date: Thu, 18 Jul 2002 02:17:06 GMT

You misunderstand, multiple regexp lines are supported but the pattern must
be unique for each one. They are processed in order and the first matching
pattern is used. Since you have two lines with identical match expressions,
the second one will never be invoked. To get what you want, you need to
combine your two expressions into a single one, using a compound search
filter
like (|(krb5PrincipalName=$1@$2)(suKrb5name=$1@$2))


  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> quanah@stanford.edu
> Sent: Wednesday, July 17, 2002 11:00 AM
> To: openldap-its@OpenLDAP.org
> Subject: multiple sasl-regexp lines not supported (ITS#1968)
>
>
> Full_Name: Quanah Gibson-Mount
> Version: 2.1.3
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.13.58)
>
>
> According to the man page for slapd.conf, one should be able to
> have multiple
> sasl-regexp directives.  However, slapd ignores any directives
> past the first
> one.
>
> For example, in my slapd.conf, I have:
> sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
> ldaps:///cn=People,dc=stanford,dc=edu??sub?(krb5PrincipalName=$1@$2)
> sasl-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth
> ldaps:///cn=People,dc=stanford,dc=edu??sub?(suKrb5name=$1@$2)
>
> When I do an ldapsearch, I authenticate in as:
> uid=quanah,cn=stanford.edu,cn=gssapi,cn=auth
>
> In my record, the attributes are defined as:
>
> krb5PrincipalName=quanah/root@stanford.edu
> suKrb5name=quanah@stanford.edu
>
> With the ldapsearch, it tries to do find a matching
> krb5PrincipalName, which
> fails.  It never attempts to resolve suKrb5name to see if that is
> a valid bind.
> If I comment out the first sasl-regexp line, it correctly finds
> the matching
> suKrb5name attribute, and then correctly authenticates me to my
> correct bind
> DN.
>
> --Quanah

Prev by Date: slapd seg faults on not finding krb5.conf (ITS#1967)
Next by Date: RE: slapd seg faults on not finding krb5.conf (ITS#1967)
Index(es):
- Chronological
- Thread