[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: saslAuthz{To|From}



>
>>I see, that's the current intended behavior,
>>there's nothing to do except craft your sasl-regexp
>>to something like
>
> That seems to work, thanks!
>
> Perhaps this should be in the release notes for 2.2.3.
>
> What about rules for mapping N-part realm names to a distinguished name?
>  (I admit that this was never particularly elegant!) I guess I can eat
> the realm tokens up in the "uid=authzid" part rather than "cn=REALM".
>
> sasl-regexp uid=(.*)/(.*),cn=(.*)\\\.(.*)\\\.(.*)\\\.(.*),cn=.*,cn=auth
> ldap:///DC=$3,DC=$4,DC=$5,DC=$6??sub?(&(objectClass=User)(servicePrincipalName=$1/$2))
>
> It would be nice if the regex code explicitly supported mapping
> DNS-style realm names to "dc" distinguished names...

you mean a sort of a "[[:dns:]]" pattern coupled to a rewrite rule
so that

sasl-regexp "uid=(.*)/(.*),cn=([[:dns:]]),cn=.*,cn=auth" \
ldap:///${dns2dc(3)}??sub?(&(objectClass=User)(servicePrincipalName=$1/$2))

This could be easily done by using the rewrite mechanism in sasl-regexp:

rewriteEngine   on

rewriteContext  dns2dc
rewriteRule     ".*" "<>%0" ":"
rewriteRule     "([^>]*)(<>)?([-a-zA-Z0-9]+)\.(.*)" "%1dc=%3,<>%4"
rewriteRule     "([^>]*)(<>)?([-a-zA-Z0-9]+)$" "%1dc=%3" ":"

rewriteContext  saslRegexp
rewriteRule "uid=(.*)/(.*),cn=(.*),cn=.*,cn=auth" \
"ldap:///%{>dns2dc(%3)}??sub?(&(objectClass=User)(servicePrincipalName=%1/%2))"

testing it with

./libraries/librewrite/rewrite -r saslRegexp \
"uid=ando/SYS-NET.IT,cn=sys-net.it,cn=PLAIN,cn=auth"

yields

uid=ando/SYS-NET.IT,cn=sys-net.it,cn=PLAIN,cn=auth ->
ldap:///dc=sys-net,dc=it??sub?(&(objectClass=User)(servicePrincipalName=ando/SYS-NET.IT))

pretty, isn't it? :)

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it