[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5400) authz-regexp migration issue: ACLs of 2.3 no longer work with 2.4.8
This is a multi-part message in MIME format.
--------------080909030908010602050105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Follow-up on openldap-software repeated here...
Gavin Henry wrote:
> Michael Ströder wrote:
>>
>> I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also
>> CVS RE24). I'm making use of authz-regexp to map user entries when
>> they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect.
>> This together used to work on 2.3.x with the existing ACLs.
>>
>> With 2.4.7 this worked no longer. The user wasn't found. In the ACL
>> debug log I've noticed that access to the search root database entry
>> (suffix) is requested. When I explicitly grant auth access to this
>> entry it works. But why is that needed? Was this an intended change?
>
> Can you paste them?
I've prepared a simplified slapd.conf and a LDIF file (both
attached) for this particular migration issue.
Take note of this:
authz-regexp
"uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
"ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
[..]
access to
dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
by * auth
See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):
----------------------------- snip -----------------------------
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003"; -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
SASL username: michael
SASL SSF: 128
SASL data security layer installed.
dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004"; -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
m
----------------------------- snip -----------------------------
If I grant auth access to the database root entry
ou=authz-test,dc=stroeder,dc=local it works (see comment of this
particular ACL in attached slapd.conf). With RE23 it also works
without this ACL!
Ciao, Michael.
--------------080909030908010602050105
Content-Type: text/x-ldif;
name="initialload.ldif"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="initialload.ldif"
dn: ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: authz-test
dn: ou=Users,ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: Users
dn: uid=michael,ou=Users,ou=authz-test,dc=stroeder,dc=local
uid: michael
objectClass: account
objectClass: simpleSecurityObject
userpassword: testsecret
--------------080909030908010602050105
Content-Type: text/plain;
name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="slapd.conf"
include /opt/openldap-RE24/etc/openldap/schema/core.schema
include /opt/openldap-RE24/etc/openldap/schema/cosine.schema
# Define global ACLs to disable default read access.
pidfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.pid
argsfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.args
modulepath /opt/openldap-RE24/libexec/openldap
moduleload back_hdb.la
authz-regexp
"uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
"ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
database hdb
suffix "ou=authz-test,dc=stroeder,dc=local"
directory /home/michael/temp/openldap-authzto-testbed/RE24/data
# Index-Konfiguration
index objectClass,uid eq
sizelimit -1
# User entries
# ------------------------
access
to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
by * auth
# Why the hell is this ACL needed for SASL Bind with authz-regexp with OpenLDAP 2.4?
access to dn.base="ou=authz-test,dc=stroeder,dc=local"
by * auth
--------------080909030908010602050105--