[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp and uid's



Hello,
You are right, I did misinterpret authz-regexp to be a more general query rewriter.  I had actually come to this conclusion about an hour after sending this email.  Sorry for the wasted time.  I'm taking a look at the rwm overlay now.

Thank you for your time.

On Wed, Feb 2, 2011 at 6:21 AM, Ralf Haferkamp <rhafer@suse.de> wrote:
Am Dienstag 01 Februar 2011, 18:19:33 schrieb Derek Bodner:
> Hello,
> I'm running an ldap 2.3 server, with users setup under cn=<first name>
> <last name>,ou=People,dc=org,dc=com.  I have an application that is
> trying to access the dn's directly, via
> uid=<username>,ou=People,dc=org,dc=com
>
> I've setup an authz-regexp rule to try to rewrite the request:
> authz-regexp
>           uid=([^,]*),ou=People,dc=org,dc=com
>           ldap:///ou=People,dc=org,dc=com??one?(uid=$1)
>
>
> But my query still seems to be failing
[..]
>
>
> Any ideas on what I'm doing wrong ?
It seems you heavily missunderstood the purpose of authz-regexp. It is
only meant for converting user names as used during SASL authentication
to LDAP DNs e.g. for Authorization purposes. E.g. if you authenticate
against you slapd as joe@YOUR.KRB.REALM using SASL/GSSAPI you can use
authz-regexp to map that name to an LDAP DN that makes sense in your
setup.

For details see: http://www.openldap.org/doc/admin24/sasl.html

authz-regexp is NOT
- able to rewrite DNs in LDAP Simple Bind Request.
- a general purpose tool to rewrite LDAP Search Results.

If you can't fix you application to be more flexible in regards to how
your DNs must look, it might be possible to achieve what you want through
the rwm-Overlay, but I don't know the overlay well enough to say for
sure. See the slapo-rwm man-page for details.

Ralf

--
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)



--
Derek Bodner
subscribedlists@derekbodner.com