[Date Prev][Date Next] [Chronological] [Thread] [Top]

saslAuthzTo and regexp troubles

To: openldap-software@OpenLDAP.org
Subject: saslAuthzTo and regexp troubles
From: Udo Rader <udo.rader@bestsolution.at>
Date: Mon, 23 May 2005 13:01:21 +0200
Organization: BestSolution.at EDV Systemhaus GmbH

Hi,

after upgrading our openldap server to the most current version, I'm
having bad troubles with saslAuthzTo and regular expressions.

Previously the following attribute setting for saslAuthzTo was working:

saslAuthzTo: uid=.*,ou=MailCustomers,dc=bestsolution,dc=at

It essentially allows specific users to become any other MailCustomer.

Now slapd cannot deal with uid=.* any longer, here's what it says when
enabling debugging after a ldapwhoami:

---------CUT----------
==>slap_sasl_authorized: can
uid=dovecot,ou=systemusers,dc=bestsolution,dc=at become
uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at?
==>slap_sasl_check_authz: does
uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at match
saslAuthzTo rule in uid=dovecot,ou=systemusers,dc=bestsolution,dc=at?
=> bdb_entry_get: ndn:
"uid=dovecot,ou=systemusers,dc=bestsolution,dc=at"
=> bdb_entry_get: oc: "(null)", at: "saslAuthzTo"
bdb_dn2entry("uid=dovecot,ou=systemusers,dc=bestsolution,dc=at")
bdb_entry_get: rc=0

[...]

===>slap_sasl_match: comparing DN
uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at to rule
uid=.*,ou=MailCustomers,dc=bestsolution,dc=at
slap_parseURI: parsing uid=.*,ou=MailCustomers,dc=bestsolution,dc=at
ldap_url_parse_ext(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at)
>>> dnNormalize: <uid=.*,ou=MailCustomers,dc=bestsolution,dc=at>
=> ldap_bv2dn(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at,0)
ldap_err2string
<= ldap_bv2dn(uid=.*,ou=MailCustomers,dc=bestsolution,dc=at)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=.*,ou=mailcustomers,dc=bestsolution,dc=at)=0 Success
<<< dnNormalize: <uid=.*,ou=mailcustomers,dc=bestsolution,dc=at>
<===slap_sasl_match: comparison returned 48
<==slap_sasl_check_authz: saslAuthzTo check returning 48
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=60]: proxy authorization disallowed (48)
SASL [conn=60] Failure: not authorized
---------CUT----------

I also tried to change the value to

saslAuthzTo: dn.regexp: uid=.*,ou=MailCustomers,dc=bestsolution,dc=at

but that again failed:

---------CUT----------
bdb_dn2entry("uid=dovecot,ou=systemusers,dc=bestsolution,dc=at")
bdb_entry_get: rc=0

[...]

===>slap_sasl_match: comparing DN
uid=fred.flintstone,ou=mailcustomers,dc=bestsolution,dc=at to rule
dn.regexp:uid=.*,ou=MailCustomers,dc=bestsolution,dc=at
slap_parseURI: parsing
dn.regexp:uid=.*,ou=MailCustomers,dc=bestsolution,dc=at
<===slap_sasl_match: comparison returned 2
<==slap_sasl_check_authz: saslAuthzTo check returning 48
<== slap_sasl_authorized: return 48
SASL Proxy Authorize [conn=62]: proxy authorization disallowed (48)
SASL [conn=62] Failure: not authorized
---------CUT----------

It works, if I drop the wildcard and specify the dn explicitly:

saslAuthzTo: uid=fred,ou=MailCustomers,dc=bestsolution,dc=at

So did something change or am I wrong or is this just an ordinary bad
monday ...

thanks in advance

Udo Rader

BestSolution.at GmbH
http://www.bestsolution.at

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: saslAuthzTo and regexp troubles
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: how does slurpd resolve hostnames?
Next by Date: Is it possible to replicate from a master which is periodically recreated
Index(es):
- Chronological
- Thread