Full_Name: Matthew Monaco Version: 2.4.11 OS: GNU/Linux 2.6.27-7 (Ubuntu 8.10 Server JeOS) URL: Submission from: (NULL) (96.242.209.249) After modifying existing olcAuthzRegexp and/or adding/removing additional olcAuthzRegexp from cn=config, I needed to restart slapd for the changes to take effect. I'm not sure if it matters but I was using ldapvi to do the modification. I can however, confirm that the changes immediately appeared in various other ldap browsers (such as Apache Directory Studio).
This is a known limitation in authz regexp support. There are no plans to change this any time soon. On Thu, Mar 26, 2009 at 03:33:37AM +0000, dgbaley27@verizon.net wrote: > Full_Name: Matthew Monaco > Version: 2.4.11 > OS: GNU/Linux 2.6.27-7 (Ubuntu 8.10 Server JeOS) > URL: > Submission from: (NULL) (96.242.209.249) > > > After modifying existing olcAuthzRegexp and/or adding/removing additional > olcAuthzRegexp from cn=config, I needed to restart slapd for the changes to take > effect. > > I'm not sure if it matters but I was using ldapvi to do the modification. > > I can however, confirm that the changes immediately appeared in various other > ldap browsers (such as Apache Directory Studio).
--On Thursday, March 26, 2009 4:14 PM +0000 hyc@symas.com wrote: > This is a known limitation in authz regexp support. There are no plans > to change this any time soon. Where's this limitation documented? What other parameters in the config backend have the same flaw? We've certainly fixed this for a number of other things. I don't even see authz-regexp/olcAuthzRegexp mentioned in chapters 5 or 6 in the admin guide, and the man pages don't note this limitation. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
quanah@zimbra.com wrote: > --On Thursday, March 26, 2009 4:14 PM +0000 hyc@symas.com wrote: > >> This is a known limitation in authz regexp support. There are no plans >> to change this any time soon. > > Where's this limitation documented? What other parameters in the config > backend have the same flaw? We've certainly fixed this for a number of > other things. Indeed, it has been finally, although rather inelegantly, fixed in slapo-rwm(5), AFAIR. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Hi, Following up from <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761407#23>: This limitation seems to still exist (tried RE24 and master). Until it can be fixed, please document it clearly in slapd-config.5 (and maybe the admin guide too), as well as any related attrs if they also require a restart (olcAuthzPolicy?). It's surprising behaviour, since almost every other attribute does support online configuration. Proposed patch follows. thanks, Ryan diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index c5bf06f..7c39369 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -409,6 +409,10 @@ values can be specified to allow for multiple matching and replacement patterns. The matching patterns are checked in the order they appear in the attribute, stopping at the first successful match. +Note that changes to +.B olcAuthzRegexp +take effect the next time the server is started, not immediately upon +changing the configuration. .\".B Caution: .\"Because the plus sign + is a character recognized by the regular expression engine, .\"and it will appear in names that include a REALM, be careful to escape the
moved from Incoming to Software Bugs
changed notes
has patch for documentation has patch;openldap-scratch IPR ok
Merge request: https://git.openldap.org/openldap/openldap/-/merge_requests/1
Commits: • 822ed8c1 by Ryan Tandy at 2020-04-02T09:10:51-07:00 ITS#6035 saslauthz cleanups (no functional change) - give authid-rewrite's argument a name - tidy saslauthz.c whitespace (mixed spaces/tabs) - always declare slap_sasl_regexp_destroy: fixes an implicit declaration warning when configured without librewrite - delete dead code: ENABLE_REWRITE implies SLAP_AUTH_REWRITE, so this code is never compiled - make slap_sasl_regexp_rewrite_config static - omit sasl_regexp unused fields when built with librewrite • c4db9061 by Ryan Tandy at 2020-04-02T09:10:51-07:00 ITS#6035 olcAuthzRegexp insert/delete support • 1d562a7a by Ryan Tandy at 2020-04-02T09:10:51-07:00 ITS#6035 olcAuthIDRewrite insert/delete support • 2b01b8dd by Ryan Tandy at 2020-04-02T09:10:51-07:00 ITS#6035 Create test script
Commits: 7ce47405 by Ryan Tandy at 2020-04-16T09:51:28-07:00 ITS#6035 Fix test076 to specify SASL mech Still not ideal though. DIGEST-MD5 seems to be a Linux-centric (or maybe cyrus-sasl-centric) default. May need to make this opt-in, like test028.
• df46c07a by Ryan Tandy at 2020-04-26T01:46:43+00:00 ITS#6035 Skip test076 if chosen SASL mech not supported
head: • f3ed13fa by Ondřej Kuzník at 2022-09-01T10:09:27+01:00 ITS#6035 Plug olcAuthIDRewrite cn=config leak RE26: • d598f537 by Ondřej Kuzník at 2022-09-12T20:43:29+00:00 ITS#6035 Plug olcAuthIDRewrite cn=config leak RE25: • 1b80eb42 by Ondřej Kuzník at 2022-09-12T20:43:41+00:00 ITS#6035 Plug olcAuthIDRewrite cn=config leak