[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: (ITS#3962) using slapd.d makes tls certificates not work??


> I don't know if this is part of the problem, but since OpenLDAP 2.3.5 
> the normalization of the DN representation of the EXTERNAL 
> SASL identity 
> generated by LDAPI is 
> "gidNumber=<gid>+uidNumber=<uid>,cn=peercred,cn=external,cn=auth", as 
> per ITS#3876; in fact, when normalizing RDNs, slapd sorts the 
> AVAs using 
> lexicographical ordering on the attributeDescription, so 
> gidNumber comes 
> before uidNumber, while slapd code was erroneously generating that DN 
> diectly in normalized form as  "uidNumber=<uid>+gidNumber=<gid>,..." 
> creating a lot of confusion.  This fix already made into 
> slapd some time 
> ago, but later on it was backed out by mistake.  As such, I 
> guess your 
> authz-regexp #0 and #2 will not match any longer, while 
> authz-regexp #1 
> looks fine...
> p.

Actually, the problem shouldn't be related to the authz-regexp, since I'm
not using -Y external to test the connection, but rather -Y gssapi -H

Thanks for the pointer about the change in the authz-regexp for external
auth, I was wondering why that behavior was so weird with the newer
versions.  For the time being, I'll keep both the uid0 entries, the uid=.*
is going to be deleted, since my ldapi socket is only rw by root anyway.

No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.14/79 - Release Date: 8/22/2005