[Date Prev][Date Next] [Chronological] [Thread] [Top]

saslAuthz{To|From} value format (Was: saslAuthz failing to *compare*)

Pierangelo Masarati wrote:

saslAuthzTo: dn.regex:uid=.*,ou=Users,.*,ou=Domains,o=MyOrg,c=US

Let me add that I couldn't find the new saslAuthz{To|From} format documented anywhere (although it is mostly backwards compatile). So I just added its description in slapd.conf(5), where the use of sasl-authz-policy is described.

Let me import it in this mail, so it gets indexed by Google,
which is considered the most authoritative source of knowledge
about OpenLDAP software ;)

    The value  of
    saslAuthzFrom and saslAuthzTo describes an identity
    or a set of identities; it can take three forms:



    The  first  form  is  a  valid  LDAP  uri where the
    <host>:<port>, the  <attrs>  and  the  <extensions>
    portions  must be absent, so that the search occurs
    locally on  either  saslAuthzFrom  or  saslAuthzTo.
    The  second  form  is a DN, with the optional style
    modifiers exact, onelevel,  children,  and  subtree
    for  exact, onelevel, children and subtree matches,
    which cause <pattern> to be normalized according to
    the  DN  normalization  rules, or the special regex
    style,  which  causes  <pattern>  to  be   compiled
    according  to  regex(7).   The third form is a SASL
    id, with the optional  fields  <mech>  and  <realm>
    that   allow  to  specify  a  SASL  mechanism,  and
    eventually a SASL realm, for those mechanisms  that
    support  one.   The need to allow the specification
    of a mechanism is  still  debated,  and  users  are
    strongly  discouraged  to rely on this possibility.
    For backwards compatibility, if no identity type is
    provided,  i.e. only <pattern> is present, an exact
    DN is  assumed;  as  a  consequence,  <pattern>  is
    subjected   to   DN   normalization.    Since   the
    interpretation of saslAuthzFrom and saslAuthzTo can
    impact  security,  users are strongly encouraged to
    explicitly set the type of  identity  specification
    that is being used.

Note that this applies only to 2.2, 2.1 is still living with that DN normalization even if the pattern could be a regex.

In general, I think authz handling is way much better in 2.2,
and it is very unlikely that it gets backported to 2.1,
because it impacts too many portions of code.


Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497