[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthz failing to *compare*

Edward Rudd wrote:
I running OpenLDAP 2.1.22 and setting up, well modifying my SASL proxy
Auth setup
I had a saslAuthzto entry of 'uid=.*,ou=People,o=MyOrg,c=US' and that
works, but now I'm restructuring things in my LDAP and needing a
saslAuthzTo entry of this 'uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US'
And that refuses to match...
the user DN is now like this.
Which should match (and does match with every other Regex engine, and in
the ACL tables them selves).
Any ideas? Have I found a bug?

You're kind of hitting a (well known) bug, i.e. the value of saslAuthz{To|From} attributes is DN-normalized even if it might be a regex; in detail, while


passes a DN-normalization, because each RDN is well defined,


doesn't because the third AVA from the left, ".*", is not
a legal AVA (there is no "attributeType" "=", only a value
of ".*".  This is fixed in subsequent 2.1/2.2 releases.
Note that in 2.2 all these ambiguous identity definitions
can be avoided by forcing the right interpretation.  In your
case, you can use:

saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

un general, it is good practice to prefi "dn:" or "u:" to
indicate if the identity is a DN or a userid; DNs allow
the modifiers "exact", "chidren", "subtree" and "regex".

I suggest you upgrade; a workaround could be to use


note the "attributeType" "=" added; of course, you need
to add as many cases as are the expected attribute types.


Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497