[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)

To: openldap-its@OpenLDAP.org
Subject: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
From: ando@sys-net.it
Date: Thu, 11 Dec 2003 19:42:12 GMT

> Full_Name: Igor Brezac
> Version: 2.1.25
> OS: Solaris 9
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (209.170.142.3)
>
>
> LDAP_CONTROL_PROXY_AUTHZ does not set mech which may create problems for
> some sasl configurations.  Here is my example.
>
> sasl-regexp     uid=(.*),cn=(.*),cn=(.*),cn=auth
>             associateddomain=$2+cn=$1,ou=people,o=pb
>
> sasl-regexp     uid=(.*),cn=(.*),cn=auth
>             cn=$1,ou=people,ou=admin,o=pb

This is incorrect; try

sasl-regexp     uid=([^,]+),cn=(.*),cn=auth
            cn=$1,ou=people,ou=admin,o=pb

because regexp in case of ambiguities chooses
the largest matches.

p.

>
> If the first sasl-regexp is not present, the second one would fail as
> well.
>
> ==>slap_sasl2dn: converting SASL name uid=igor,cn=ipass.net,cn=auth to a
> DN slap_sasl_regexp: converting SASL name uid=igor,cn=ipass.net,cn=auth
> slap_sasl_regexp: converted SASL name to cn=igor,ou=people,ou=admin,o=pb
>
> I expected something like (from ldapwhoami cmd tool):
>
> <<< dnNormalize: <uid=pino,cn=ipass.net,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name
> uid=igor,cn=ipass.net,cn=digest-md5,cn=auth to a DN
> slap_sasl_regexp: converting SASL name
> uid=igor,cn=ipass.net,cn=digest-md5,cn=auth
> slap_sasl_regexp: converted SASL name to
> associateddomain=ipass.net+cn=igor,ou=people,o=pb


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Prev by Date: SASL-GSSAPI Binds on a refereal bug? (ITS#2872)
Next by Date: Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
Index(es):
- Chronological
- Thread