[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
SASL (ITS#1079)
Full_Name: Jim Campbell
Version: 2.0.7
OS: Solaris 2.6/8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (147.188.40.2)
What is the meaning of acl "self" when using SASL authorisation.
The matching rule seems to be trying UID={sasl id}+REALM={realm}!!
but shouldnt this be uid DN?
=> acl_mask: access to entry
"uid=samba,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK"
, attr "userPassword" requested
=> acl_mask: to value by
"UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=UK+
REALM=NPSMX", (=n)
<= check a_dn_pat: cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: pattern: cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: expanded: cn=admin,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> regex_matches: string:
UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=U
K+REALM=NPSMX
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK
=> string_expand: pattern:
cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=
UK
=> string_expand: expanded:
cn=proxyagent,ou=profile,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=
UK
=> regex_matches: string:
UID=UID=SAMBA,OU=PEOPLE,DC=NP,DC=PH,DC=BHAM,DC=AC,DC=U
K+REALM=NPSMX
=> regex_matches: rc: 1 no matches
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_dn_pat: *
(note that here because of vagaries of Solaris 8 CRAM_MD5 the SASL userid
is the DN name "uid=samba,ou=People,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" and I
have modified code to allow this:
*** sasl.c Thu Mar 1 16:48:43 2001
--- sasl.c.orig Thu Mar 1 16:47:10 2001
***************
*** 465,472 ****
0, 0, 0);
} else if ( username[0] == 'u' && username[1] == ':'
! && username[2] != '\0')
! /* && strpbrk(
&username[2], "+=,;\"\\ \t") == NULL )*/
{
*edn = ch_malloc( sizeof( "uid= + realm=" )
+ strlen( &username[2] )
--- 465,472 ----
0, 0, 0);
} else if ( username[0] == 'u' && username[1] == ':'
! && username[2] != '\0'
! && strpbrk( &username[2], "+=,;\"\\ \t") == NULL
)
{
*edn = ch_malloc( sizeof( "uid= + realm=" )
+ strlen( &username[2] )
as rfc 2829 says authzId = dnAuthzId/uAuthzId )
cheers
Jim