[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Auth access for search-based mappings?

Jaap Winius wrote:
> Hi all,
> My OpenLDAP 2.4 test system uses Kerberos, SASL and GSSAPI. I've got  
> person objects located in two different org. units and want to search  
> both of them for a potential match, so I included these two statements  
> in slapd.conf:
>     authz-regexp
>        uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
>        ldap:///ou=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
>     authz-regexp
>        uid=([^,].*),cn=example.com,cn=gssapi,cn=auth
>        ldap:///ou=bio,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
> Unfortunately, it's not working as I hoped. If I have two test users,  
> uid=john in ou=eng and uid=pete ou=bio, then after first  
> authenticating them with the Kerberos kinit command, in this situation  
> a subsequent ldapwhoami command for each will give:
>     dn:uid=john,ou=eng,dc=example,dc=com
>     dn:uid=pete,cn=example.com,cn=gssapi,cn=auth
> The second result is, of course, completely useless. However, if I  
> change the order of two authz-regexp statements I get:
>     dn:uid=john,cn=example.com,cn=gssapi,cn=auth
>     dn:uid=pete,ou=bio,dc=example,dc=com
> Now the first result is useless. In other words, both authz-regexp  
> statements work, but the second statement is being ignored. Why? How  
> can I get slapd to also process the second authz-regexp statement?

You can't. As the slapd.conf(5) manpage states, the matching process stops at
the first rule that matches the incoming SASL name. If you want to use
multiple authz-regexp statements, they must each have unique "match" portions
because any duplicates will be ignored.

For your case, you need to come up with a single search specification that
will handle both branches of your search. One possible solution would be to
use entryDN in the filter:


  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/