[Date Prev][Date Next]
RE: (ITS#3962) using slapd.d makes tls certificates not work??
> I don't know if this is part of the problem, but since OpenLDAP 2.3.5
> the normalization of the DN representation of the EXTERNAL
> SASL identity
> generated by LDAPI is
> "gidNumber=<gid>+uidNumber=<uid>,cn=peercred,cn=external,cn=auth", as
> per ITS#3876; in fact, when normalizing RDNs, slapd sorts the
> AVAs using
> lexicographical ordering on the attributeDescription, so
> gidNumber comes
> before uidNumber, while slapd code was erroneously generating that DN
> diectly in normalized form as "uidNumber=<uid>+gidNumber=<gid>,..."
> creating a lot of confusion. This fix already made into
> slapd some time
> ago, but later on it was backed out by mistake. As such, I
> guess your
> authz-regexp #0 and #2 will not match any longer, while
> authz-regexp #1
> looks fine...
Actually, the problem shouldn't be related to the authz-regexp, since I'm
not using -Y external to test the connection, but rather -Y gssapi -H
Thanks for the pointer about the change in the authz-regexp for external
auth, I was wondering why that behavior was so weird with the newer
versions. For the time being, I'll keep both the uid0 entries, the uid=.*
is going to be deleted, since my ldapi socket is only rw by root anyway.
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.14/79 - Release Date: 8/22/2005