[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Auth access for search-based mappings?

Jaap Winius wrote:
> Quoting Howard Chu <hyc@symas.com>:
>> You can't. As the slapd.conf(5) manpage states, the matching process
>> stops at the first rule that matches the incoming SASL name. ...
> Okay. I saw that too, but confused the SASL name with the SASL user
> name. So, the first of my two authz-regexp statements was always a
> match, which stopped the process.
>> ... If you want to use multiple authz-regexp statements, they must
>> each have unique "match" portions because any duplicates will be ignored.
> And mine were duplicates, since the replacement pattern is not part of
> the match (search pattern).
>> For your case, you need to come up with a single search specification...
> Where can I find information on how to write LDAP URL search
> specifications?
> For example, RFC2255 doesn't say much about it (e.g. no mention of
> ampersand or pipe characters).
>> ... that will handle both branches of your search. One possible solution
>> would be to use entryDN in the filter:
> authz-regexp
>         uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
>         ldap:///dc=example,dc=com??sub?
>              (&(|(entryDN:dnSubtree:=ou=eng,dc=example,dc=com)
>                  (entryDN:dnSubtree:=ou=bio,dc=example,dc=com))
>              (uid=$1)(objectclass=person))
> Unfortunately, this doesn't work at all. Using ldapwhoami I now get:
>    dn:uid=john,cn=example.com,cn=gssapi,cn=auth
>    dn:uid=pete,cn=example.com,cn=gssapi,cn=auth

uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?

Ciao, Michael.