Full_Name: Michael Str�der Version: 2.4.8 OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.163.75.104) A configuration using authz-regexp fully functional with appropriate ACLs was working in RE23 but does not work in 2.4.8 anymore. http://www.openldap.org/lists/openldap-software/200802/msg00373.html More to follow...
Follow-up on openldap-software repeated here... Gavin Henry wrote: > Michael Ströder wrote: >> >> I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also >> CVS RE24). I'm making use of authz-regexp to map user entries when >> they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. >> This together used to work on 2.3.x with the existing ACLs. >> >> With 2.4.7 this worked no longer. The user wasn't found. In the ACL >> debug log I've noticed that access to the search root database entry >> (suffix) is requested. When I explicitly grant auth access to this >> entry it works. But why is that needed? Was this an intended change? > > Can you paste them? I've prepared a simplified slapd.conf and a LDIF file (both attached) for this particular migration issue. Take note of this: authz-regexp "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth" "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)" [..] access to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local" by * auth See test of recent RE23 (port 2003) vs. recent RE24 (port 2004): ----------------------------- snip ----------------------------- $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003" -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started SASL username: michael SASL SSF: 128 SASL data security layer installed. dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004" -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) m ----------------------------- snip ----------------------------- If I grant auth access to the database root entry ou=authz-test,dc=stroeder,dc=local it works (see comment of this particular ACL in attached slapd.conf). With RE23 it also works without this ACL! Ciao, Michael.
michael@stroeder.com wrote: > Take note of this: > > authz-regexp > "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth" > "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)" > [..] > access to > dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local" > by * auth > > > See test of recent RE23 (port 2003) vs. recent RE24 (port 2004): As indicated in OpenLDAP 2.4's man page, now the LDA search operation requires "search" privileges on the "entry" pseudo-attribute of the searchBase. This was introduced to be able to honor the "disclose" privilege (or, at least, in conjunction with code that is used to honore the "disclose" privilege). The man page is erroneous in stating that this requirement and that feature were introduced in OpenLDAP 2.3: the code is indeed present in OpenLDAP 2.3, but actually #ifdef'd; it only became the default behavior in OpenLDAP 2.4. This requirement, as usual, is downgraded to "auth" when performing authc/authz related lookups. I'd take this ITS as a request to fix the documentation (indicate the change since 2.4 and not since 2.3) and to better notify the different behavior since 2.3. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
changed notes changed state Open to Release moved from Incoming to Documentation
changed notes changed state Release to Closed
searches need "search" on "entry" of searchBase since 2.4 fix man page (and Admin Guide, I guess)