[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz failing to compare

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: saslAuthz failing to *compare*
From: Edward Rudd <eddie@omegaware.com>
Date: Sat, 06 Mar 2004 10:33:01 -0600
Cc: OpenLDAP <openldap-software@OpenLDAP.org>
In-reply-to: <4049957B.5070006@sys-net.it>
Organization: Omegaware Systems Ltd.
References: <1078560813.22580.126.camel@urkle.vernon.hills> <4049957B.5070006@sys-net.it>

Thank you very much.. That fixed it (adding dc= before the .*).
I have been planning on upgrading to a newer release, but right now my
SASL auth with the ldapauxprop plugin *works* and I don't want to make
too many changes and break things. I will be working on upgrading it all
on my devel system soon..
On Sat, 2004-03-06 at 03:10, Pierangelo Masarati wrote:
> Edward Rudd wrote:
> > I running OpenLDAP 2.1.22 and setting up, well modifying my SASL proxy
> > Auth setup
> > I had a saslAuthzto entry of 'uid=.*,ou=People,o=MyOrg,c=US' and that
> > works, but now I'm restructuring things in my LDAP and needing a
> > saslAuthzTo entry of this 'uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US'
> > And that refuses to match...
> > the user DN is now like this.
> > 'uid=test@nowhere.org,ou=Users,dc=nowhere,dc=org,ou=Domains,o=MyOrg,c=US'
> > Which should match (and does match with every other Regex engine, and in
> > the ACL tables them selves).
> > Any ideas? Have I found a bug?
> 
> You're kind of hitting a (well known) bug, i.e. the value
> of saslAuthz{To|From} attributes is DN-normalized even if
> it might be a regex; in detail, while
> 
> 	uid=.*,ou=People,o=MyOrg,c=US
> 
> passes a DN-normalization, because each RDN is well defined,
> 
> 	uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US
> 
> doesn't because the third AVA from the left, ".*", is not
> a legal AVA (there is no "attributeType" "=", only a value
> of ".*".  This is fixed in subsequent 2.1/2.2 releases.
> Note that in 2.2 all these ambiguous identity definitions
> can be avoided by forcing the right interpretation.  In your
> case, you can use:
> 
> saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US
> 
> un general, it is good practice to prefi "dn:" or "u:" to
> indicate if the identity is a DN or a userid; DNs allow
> the modifiers "exact", "chidren", "subtree" and "regex".
> 
> I suggest you upgrade; a workaround could be to use
> 
> uid=.*,ou=Users,ou=.*,ou=Domains,o=MyOrg,c=US
> 
>                  ^^^
> note the "attributeType" "=" added; of course, you need
> to add as many cases as are the expected attribute types.
> 
> p.
-- 
Edward Rudd <eddie@omegaware.com>
Website http://outoforder.cc/

References:
- saslAuthz failing to *compare*
  - From: Edward Rudd <eddie@omegaware.com>
- Re: saslAuthz failing to *compare*
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Applications, authentication, and hashing methods..
Next by Date: Re: Max number of slurpds?
Index(es):
- Chronological
- Thread

Re: saslAuthz failing to *compare*

Re: saslAuthz failing to compare