[Date Prev][Date Next] [Chronological] [Thread] [Top]
ENC: RES: sasl proxy authorization and regexp

To: <openldap-software@OpenLDAP.org>
Subject: ENC: RES: sasl proxy authorization and regexp
From: "Raissa Dantas Freire de Medeiros" <raissad@ucb.br>
Date: Fri, 26 Mar 2004 14:41:58 -0300
Content-class: urn:content-classes:message
Thread-index: AcQTQPKuzTlqNm3rTmulxRsCfSHR7AAF2T7p
Thread-topic: RES: sasl proxy authorization and regexp
Hello!

I am using the 2.2.5 version. The log is bellow.

I modified my user Joao to the following:

dn: uid=joao,cn=Alunos,cn=CampusII,dc=ucb,dc=br
changetype: modify
replace: saslAuthzTo
saslAuthzTo: dn.regex:uid=.*,cn=Alunos,ou=CampusI,dc=ucb,dc=br

I am trying to execute the command:

ldapadd -f ./ucb3.ldif -U joao@ares.cesmic.ucb.br -X "dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" -Y DIGEST-MD5

And the error is:

SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: not authorized

I have the ACL "access to * by dn.base="uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br" write" in my slapd.conf.

Thanks a lot,
Raissa

-------------------------------

<<< dnPrettyNormal: <>, <>
do_sasl_bind: dn () mech DIGEST-MD5
==> sasl_bind: dn="" mech=<continuing> datalen=359
SASL [conn=0] Debug: DIGEST-MD5 server step 2
SASL Canonicalize [conn=0]: authcid="joao@ares.cesmic.ucb.br"
slap_sasl_getdn: id=joao@ares.cesmic.ucb.br [len=23]
getdn: u:id converted to uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth
>>> dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth>
=> ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)
<= ldap_bv2dn(uid=joao,cn=ares.cesmic.ucb.br,cn=DIGEST-MD5,cn=auth,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth,272)=0
<<< dnNormalize: <uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth>
==>slap_sasl2dn: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth to a DN
slap_sasl_regexp: converting SASL name uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authcDN="uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth"
SASL Canonicalize [conn=0]: authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
slap_sasl_getdn: id=dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br [len=49]
>>> dnNormalize: <uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br>
=> ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)
<= ldap_bv2dn(uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br,0)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br,272)=0
<<< dnNormalize: <uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br>
==>slap_sasl2dn: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br to a DN
slap_sasl_regexp: converting SASL name uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=0]: authzDN="uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br"
SASL Authorize [conn=0]: authcid="joao@ares.cesmic.ucb.br" authzid="dn:uid=fgoulart,cn=Alunos,ou=CampusI,dc=ucb,dc=br"
==>slap_sasl_authorized: can uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth become uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br?
==>slap_sasl_check_authz: does uid=fgoulart,cn=alunos,ou=campusi,dc=ucb,dc=br match saslAuthzTo rule in uid=joao,cn=ares.cesmic.ucb.br,cn=digest-md5,cn=auth?
<==slap_sasl_check_authz: saslAuthzTo check returning 32
<== slap_sasl_authorized: return 48
SASL Authorize [conn=0]:  authorization disallowed (48)
SASL [conn=0] Failure: not authorized
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=50 matched="" text="SASL(-14): authorization failure: not authorized"
send_ldap_response: msgid=2 tag=97 err=50
ber_flush: 62 bytes to sd 10
  0000:  30 3c 02 01 02 61 37 0a  01 32 04 00 04 30 53 41   0<...a7..2...0SA
  0010:  53 4c 28 2d 31 34 29 3a  20 61 75 74 68 6f 72 69   SL(-14): authori
  0020:  7a 61 74 69 6f 6e 20 66  61 69 6c 75 72 65 3a 20   zation failure:
  0030:  6e 6f 74 20 61 75 74 68  6f 72 69 7a 65 64         not authorized
ldap_write: want=62, written=62
  0000:  30 3c 02 01 02 61 37 0a  01 32 04 00 04 30 53 41   0<...a7..2...0SA
  0010:  53 4c 28 2d 31 34 29 3a  20 61 75 74 68 6f 72 69   SL(-14): authori
  0020:  7a 61 74 69 6f 6e 20 66  61 69 6c 75 72 65 3a 20   zation failure:
  0030:  6e 6f 74 20 61 75 74 68  6f 72 69 7a 65 64         not authorized
<== slap_sasl_bind: rc=50
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 10r
daemon: read activity on 10
connection_get(10)
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
ber_get_next
ldap_read: want=8, got=0
 
ber_get_next on fd 10 failed errno=0 (Success)
connection_read(10): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
daemon: removing 10
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: select: listen=6 active_threads=0 tvp=NULL
 



-----Mensagem original-----
De: Pierangelo Masarati [mailto:ando@sys-net.it]
Enviada: sex 26/3/2004 11:38
Para: Raissa Dantas Freire de Medeiros
Cc: openldap-software@openldap.org
Assunto: Re: RES: sasl proxy authorization and regexp
 
What version of OpenLDAP are you using? I recall there was some work on
the topic, recently, because in 2.1 (and early 2.2) for structural reasons
implicit regex could not work; note that 2.1 does not support explicit
regex.  Can you produce a detailed log of the authz failed attempt?

p.

PS: please do not respond personally (even if my reply was inappropriate:
if you could do authz with exact DN, of course sasl-authz-policy had to be
set appropriately ;)

> Yes, I've already put "sasl-authz-policy to" in slapd.conf, but no
> success.
>
> Raissa
>
>
> -----Mensagem original-----
> De: Pierangelo Masarati [mailto:ando@sys-net.it]
> Enviada: sex 26/3/2004 11:04
> Para: Raissa Dantas Freire de Medeiros
> Cc: openldap-software@OpenLDAP.org
> Assunto: Re: sasl proxy authorization and regexp
>
> see "sasl-authz-policy" in slapd.conf(5) to enable sasl authz.
>
> p.
>
>> Hello!
>>
>> I'm trying to configure SASL proxy authorization in my distributed
>> directory.
>>
>> I added the user uid=joao,cn=campusII,dc=ucb,dc=br in SASL database
>> (joao@ares.cesmic.ucb.br) and in OpenLDAP tree. In OpenLDAP entry, I
>> added the saslAuthzTo attribute as bellow:
>>
>> dn: uid=joao,cn=CampusII,dc=ucb,dc=br
>> changetype: modify
>> add: saslAuthzTo
>> saslAuthzTo: dn.regex:uid=.*,cn=CampusII,dc=ucb,dc=br
>>
>> The ACLs allow read/write for everybody.
>>
>> However, this regexp does not work. If I put
>>
>> dn: uid=joao,cn=CampusII,dc=ucb,dc=br
>> changetype: modify
>> add: saslAuthzTo
>> saslAuthzTo: dn.regex:uid=fgoulart,cn=CampusII,dc=ucb,dc=br
>>
>> the user Joao authorizes the user fgoulart. But when I try to use the
>> regexp, joao does not authorizes fgoulart.
>>
>> Could anybody help me, please?
>>
>> Thanks in advance,
>> Raissa
>
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
Follow-Ups:
- Re: ENC: RES: sasl proxy authorization and regexp
  - From: "Pierangelo Masarati" <ando@sys-net.it>
Prev by Date: Re: Need SASL idiot-proof walkthrough
Next by Date: Re: ENC: RES: sasl proxy authorization and regexp
Index(es):
- Chronological
- Thread