[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3962) using slapd.d makes tls certificates not work??

pfnguyen@best.com wrote:

># typically, this rule should only be used by Heimdal kerberos
>        uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
>        "uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
>        gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
>        "uid=Local Admin,ou=Services,dc=HanHuy,dc=com"
># map all other local users to their respective ldap entries
>        uidNumber=(.*)\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth
>        ldap:///ou=People,dc=HanHuy,dc=com??one?(&(uidNumber=$1)(objectClass=posixAccount))
I don't know if this is part of the problem, but since OpenLDAP 2.3.5 
the normalization of the DN representation of the EXTERNAL SASL identity 
generated by LDAPI is 
"gidNumber=<gid>+uidNumber=<uid>,cn=peercred,cn=external,cn=auth", as 
per ITS#3876; in fact, when normalizing RDNs, slapd sorts the AVAs using 
lexicographical ordering on the attributeDescription, so gidNumber comes 
before uidNumber, while slapd code was erroneously generating that DN 
diectly in normalized form as  "uidNumber=<uid>+gidNumber=<gid>,..." 
creating a lot of confusion.  This fix already made into slapd some time 
ago, but later on it was backed out by mistake.  As such, I guess your 
authz-regexp #0 and #2 will not match any longer, while authz-regexp #1 
looks fine...


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497