[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3962) using slapd.d makes tls certificates not work??
pfnguyen@best.com wrote:
># typically, this rule should only be used by Heimdal kerberos
>authz-regexp
> uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
> "uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
>authz-regexp
> gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
> "uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
>
># map all other local users to their respective ldap entries
>authz-regexp
> uidNumber=(.*)\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
> ldap:///ou=People,dc=HanHuy,dc=com??one?(&(uidNumber=$1)(objectClass=posixAccount))
>
>
I don't know if this is part of the problem, but since OpenLDAP 2.3.5
the normalization of the DN representation of the EXTERNAL SASL identity
generated by LDAPI is
"gidNumber=<gid>+uidNumber=<uid>,cn=peercred,cn=external,cn=auth", as
per ITS#3876; in fact, when normalizing RDNs, slapd sorts the AVAs using
lexicographical ordering on the attributeDescription, so gidNumber comes
before uidNumber, while slapd code was erroneously generating that DN
diectly in normalized form as "uidNumber=<uid>+gidNumber=<gid>,..."
creating a lot of confusion. This fix already made into slapd some time
ago, but later on it was backed out by mistake. As such, I guess your
authz-regexp #0 and #2 will not match any longer, while authz-regexp #1
looks fine...
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497