[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Bug in LDAP_CONTROL_PROXY_AUTHZ (ITS#2871)
> Full_Name: Igor Brezac
> Version: 2.1.25
> OS: Solaris 9
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (209.170.142.3)
>
>
> LDAP_CONTROL_PROXY_AUTHZ does not set mech which may create problems for
> some sasl configurations. Here is my example.
>
> sasl-regexp uid=(.*),cn=(.*),cn=(.*),cn=auth
> associateddomain=$2+cn=$1,ou=people,o=pb
>
> sasl-regexp uid=(.*),cn=(.*),cn=auth
> cn=$1,ou=people,ou=admin,o=pb
This is incorrect; try
sasl-regexp uid=([^,]+),cn=(.*),cn=auth
cn=$1,ou=people,ou=admin,o=pb
because regexp in case of ambiguities chooses
the largest matches.
p.
>
> If the first sasl-regexp is not present, the second one would fail as
> well.
>
> ==>slap_sasl2dn: converting SASL name uid=igor,cn=ipass.net,cn=auth to a
> DN slap_sasl_regexp: converting SASL name uid=igor,cn=ipass.net,cn=auth
> slap_sasl_regexp: converted SASL name to cn=igor,ou=people,ou=admin,o=pb
>
> I expected something like (from ldapwhoami cmd tool):
>
> <<< dnNormalize: <uid=pino,cn=ipass.net,cn=digest-md5,cn=auth>
> ==>slap_sasl2dn: converting SASL name
> uid=igor,cn=ipass.net,cn=digest-md5,cn=auth to a DN
> slap_sasl_regexp: converting SASL name
> uid=igor,cn=ipass.net,cn=digest-md5,cn=auth
> slap_sasl_regexp: converted SASL name to
> associateddomain=ipass.net+cn=igor,ou=people,o=pb
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it