[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: saslAuthzTo check returning 48 SASL [conn=154] Failure: not authorized

> Thanks for your input.  I compiled and installed openldap-2.1.30 and
> changed  the uid admin from saslAuthzTo:
> dn.regex:uid=.*,ou=people,dc=cpc to
> ldap:///ou=people,dc=cpc??sub?(objectclass=Person) (as in doco
> http://www.billy.demon.nl/ ) and it works.  To be honest I didn't/don't
> really understand how it works and why it wasn't working from the
> replies  below but I am happy anyway.

I'm afraid this is exploiting a "feature" of authz code that is going to
change in future (2.2, at least) releases.  For those who are going to use
2.2 I strongly suggest the dn.regex style syntax is used to avoid later
problems.  The code as is in 2.1 and early 2.2 allows ldap:// authz
strings to return multiple candidates, while, for consistency with
authz-regexp (formerly sasl-regexp) rules, the ldap:// form will be
required to match exactly one DN.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497