[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized

To: <oneoutof100@hotmail.com>
Subject: Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 4 May 2004 23:12:46 +0200 (CEST)
Cc: <OpenLDAP-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <BAY18-F115y3GwJKMb300008aac@hotmail.com>
References: <BAY18-F115y3GwJKMb300008aac@hotmail.com>

> Thanks for your input.  I compiled and installed openldap-2.1.30 and
> changed  the uid admin from saslAuthzTo:
> dn.regex:uid=.*,ou=people,dc=cpc to
> ldap:///ou=people,dc=cpc??sub?(objectclass=Person) (as in doco
> http://www.billy.demon.nl/ ) and it works.  To be honest I didn't/don't
> really understand how it works and why it wasn't working from the
> replies  below but I am happy anyway.

I'm afraid this is exploiting a "feature" of authz code that is going to
change in future (2.2, at least) releases.  For those who are going to use
2.2 I strongly suggest the dn.regex style syntax is used to avoid later
problems.  The code as is in 2.1 and early 2.2 allows ldap:// authz
strings to return multiple candidates, while, for consistency with
authz-regexp (formerly sasl-regexp) rules, the ldap:// form will be
required to match exactly one DN.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized
  - From: "Ben Booble" <oneoutof100@hotmail.com>

Prev by Date: Re: Slurpd timer question
Next by Date: Re: Fw: ldap_add: Operations error
Index(es):
- Chronological
- Thread