[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
use librewrite for sasl-regexp (ITS#2886)
Full_Name: Pierangelo Masarati
Version: HEAD
OS: Linux
URL: http://www.sys-net.it/~ando/Download/slap-sasl-authid-rewrite.patch
Submission from: (NULL) (81.72.89.40)
The proposed path uses librewrite for sasl-regexp'ing auth IDs to DNs
instead of the current regex-based match-replace. This allows more
expressive semantics.
All the changes are protected behind #ifdef SLAP_X_SASL_REWRITE
which needs to be hand-defined.
If the old syntax, e.g.
sasl-regexp <match> <replace> is used, it mimics the old behavior;
otherwise one must use the following:
authid-rewrite<statement> <arg> [...]
where the "rewrite<statement>" part and the args are defined
according to the rewrite engine configuration illustrated in
slapd-meta(5). The authid-rewriteContexts "authcid" for
authentication ID mapping, and "authzid" for authorization ID
mapping must be defined. The "authid" generic rule must also
be defined for those cases where the ID mapping cannot clarly
determine what the mapping is required for. This allows to
use different mappings for authc and authd; however, for
regular usage, this may not be required. It is thus suggested
to aliase the authcid/authzid ruls to a generic rule, e.g.:
# switch on the rewriting
authid-rewriteEngine on
# main context: turns userids into a search for "uid=name" under
# the people branch of the default naming context
authid-rewriteContext "authid"
authid-rewriteRule "uid=([^,]+),cn=[^,]+,cn=[^,]+,cn=auth" \
"ldap:///ou=People,dc=example,dc=com??sub?(uid=%1)" "@"
# authc and authz contexts aliase the generic one
authid-rewriteContext "authcid" alias "authid"
authid-rewriteContext "authzid" alias "authid"
A more complex usage, as illustrated in earlier postings, can be
# switch on the rewriting
authid-rewriteEngine on
# context that turns a domain "a.b.c" into a dc naming context "dc=a,dc=b,dc=c"
# the second rule is invoked recursively 0 to n-1 times, n being the number
# of domain components
authid-rewriteContext "dns2dc"
authid-rewriteRule ".*" "<>%0" ":"
authid-rewriteRule "([^>]*)<>([-a-zA-Z0-9]+)\\.(.*)" "%1dc=%2,<>%3"
authid-rewriteRule "([^>]*)<>([-a-zA-Z0-9]+)$$" "%1dc=%2" ":"
# main context: turns userids in the form "name/domain" into
# a search for "uid=name" under the people branch of "domain"
authid-rewriteContext "authid"
authid-rewriteRule "uid=([^,]+)/([^,]+),cn=[^,]+,cn=[^,]+,cn=auth" \
"ldap:///ou=People,%{>dns2dc(%2)}??sub?(uid=%1)" "@"
# authc and authz contexts aliase the generic one
authid-rewriteContext "authcid" alias "authid"
authid-rewriteContext "authzid" alias "authid"
Ando.