[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8729) saslregex mapping failure

Full_Name: Mike Jackson
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

On an server with KRB5_KTNAME and KRB5CCNAME in it's environment but without a
functional /etc/krb5.conf file, olcAuthzRegexp mappings are completely ignored
for EXTERNAL auth (in my tests, distinguished names for X.509 client
authentication were not remapped until OL was able to kinit it's own kerberos

This is a bit of a corner case, but a pretty annoying bug nonetheless when
building up new servers and indicates a failure in logic somewhere or another.

Chat logs follow:

JoBbZ: podz: oh, you're saying that the regex fails if you use a *non* GSSAPI
mechanism, and the krb5.conf can't talk to a KDC?
[9:41pm] podz: yes
[9:41pm] podz: and this is a dysfunction
[9:41pm] JoBbZ: yes, that'd be a bug for sure 
[9:41pm] podz: it's really a dysfunction
[9:42pm] JoBbZ: well, there should be zero reason for GSSAPI to even be
initialized if using EXTERNAL
[9:42pm] podz: precisely
[9:42pm] tarpman: that's sounding more like a sasl bug so far...
[9:42pm] podz: tarpman: like i said, i am not sure where the bug lies
[9:43pm] podz: something is fishy, though
[9:43pm] podz: now i am going to eat some cake and be back in 20-30 mins
[9:44pm] JoBbZ: well, EXTERNAL is all openldap code, doesn't depend on
[9:45pm] JoBbZ: so it could be a bug in OpenLDAP that it is calling cyrus-sasl
at all in this case
[9:45pm] podz: probably you are right