[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: saslAuthz{To|From}



>
>>Now an '@' in the userid is no longer treated
>>as a realm-separator: userids can have '@' inside.
>>Can you send me a trace of the operation? I don't
>>have a setup at hand to reproduce it.  The sasl
>>mapping stuff would suffice.
>
> ==> sasl_bind: dn="" mech=EXTERNAL datalen=27
> SASL Canonicalize [conn=4]: authzid="u:kadmin/admin@DSG.PADL.COM"
> slap_sasl_getdn: id=u:kadmin/admin@DSG.PADL.COM [len=27]
> slap_sasl_getdn: u:id converted to
> uid=kadmin/admin@DSG.PADL.COM,cn=DSG.PADL.COM,cn=EXTERNAL,cn=auth
>>>> dnNormalize:
>>>> <uid=kadmin/admin@DSG.PADL.COM,cn=DSG.PADL.COM,cn=EXTERNAL,cn=auth>
> =>
> ldap_bv2dn(uid=kadmin/admin@DSG.PADL.COM,cn=DSG.PADL.COM,cn=EXTERNAL,cn=auth,0)
> <=
> ldap_bv2dn(uid=kadmin/admin@DSG.PADL.COM,cn=DSG.PADL.COM,cn=EXTERNAL,cn=auth,0)=0
> => ldap_dn2bv(272)
> <=
> ldap_dn2bv(uid=kadmin/admin@dsg.padl.com,cn=dsg.padl.com,cn=external,cn=auth,272)=0
> <<< dnNormalize:
> <uid=kadmin/admin@dsg.padl.com,cn=dsg.padl.com,cn=external,cn=auth>
> ==>slap_sasl2dn: converting SASL name
> uid=kadmin/admin@dsg.padl.com,cn=dsg.padl.com,cn=external,cn=auth to a
> DN slap_sasl_regexp: converting SASL name
> uid=kadmin/admin@dsg.padl.com,cn=dsg.padl.com,cn=external,cn=auth
> slap_sasl_regexp: converted SASL name to
> ldap:///DC=dsg,DC=padl,DC=com??sub?(&(objectClass=User)(servicePrincipalName=kadmin/admin@dsg.padl.com))
> slap_parseURI: parsing
> ldap:///DC=dsg,DC=padl,DC=com??sub?(&(objectClass=User)(servicePrincipalName=kadmin/admin@dsg.padl.com))
> ldap_url_parse_ext(ldap:///DC=dsg,DC=padl,DC=com??sub?(&(objectClass=User)(servicePrincipalName=kadmin/admin@dsg.padl.com)))
>
> ie. to preserve the simplicity of the results I would rather have the
> converted user not include a redundant realm specifier:
>
> 	uid=kadmin/admin,cn=DSG.PADL.COM,cn=EXTERNAL,cn=auth
>
> or
>
> 	uid=kadmin/admin@DSG.PADL.COM,cn=EXTERNAL,cn=auth
>
> -- Luke

I see, that's the current intended behavior,
there's nothing to do except craft your sasl-regexp
to something like

sasl-regexp uid=(.*)/(.+)(@[^,]+)?,cn=DSG.PADL.COM,cn=(.*),cn=auth

or

sasl-regexp uid=(.*)/([^@,]+)(@[^,]+)?,cn=DSG.PADL.COM,cn=(.*),cn=auth

which looks a bit redundant, but should do the job.

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it