[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Auth access for search-based mappings?



Quoting Howard Chu <hyc@symas.com>:

You can't. As the slapd.conf(5) manpage states, the matching process
stops at the first rule that matches the incoming SASL name. ...

Okay. I saw that too, but confused the SASL name with the SASL user name. So, the first of my two authz-regexp statements was always a match, which stopped the process.

... If you want to use multiple authz-regexp statements, they must
each have unique "match" portions because any duplicates will be ignored.

And mine were duplicates, since the replacement pattern is not part of the match (search pattern).

For your case, you need to come up with a single search specification...

Where can I find information on how to write LDAP URL search specifications?
For example, RFC2255 doesn't say much about it (e.g. no mention of ampersand or pipe characters).

... that will handle both branches of your search. One possible solution
would be to use entryDN in the filter:

authz-regexp
        uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
        ldap:///dc=example,dc=com??sub?
             (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com)
                 (entryDN:dnSubtree:=ou=bio,dc=example,dc=com))
             (uid=$1)(objectclass=person))

Unfortunately, this doesn't work at all. Using ldapwhoami I now get:

   dn:uid=john,cn=example.com,cn=gssapi,cn=auth
   dn:uid=pete,cn=example.com,cn=gssapi,cn=auth

Thanks,

Jaap