[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?



On 01/02/11 10:28 -0600, Joe Comeaux wrote:
I'm having a lot of trouble just getting just a basic regexp example
working though.
I dont have any kind of slapd.conf set up, so I'm injecting the
updates through ldapmodify. Here's what I've tried :
#ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
add: olcAuthzRegexp
olcAuthzRegexp: uid=jrambo,ou=users,dc=example,dc=com
uid=jrambo,ou=it,ou=users,dc=example,dc=com

modifying entry "cn=config"

#ldapsearch -x -H "ldap://voss.worleyco.com/"; -b "dc=worleyco,dc=com"
-D "uid=jrambo,ou=Users,dc=example,dc=com" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

As far as I know, authz-regexp mappings only apply to SASL binds, and in a
special case in the nssov backend pam processing.

There was some discussion of using it with simple binds here:

http://www.openldap.org/lists/openldap-software/200507/msg00027.html

Given a mapping of

uid=jrambo,cn=([^,]+),cn=auth
uid=jrambo,ou=it,ou=users,dc=example,dc=com

or

uid=([^,]+),cn=([^,]+),cn=auth
uid=$1,ou=it,ou=users,dc=example,dc=com

or the rule I showed in my earlier email... you should then be able to do:

ldapwhoami -H "ldap://voss.worleyco.com/"; -U jrambo

to see if your mapping is working correctly.

You'll want to have a SASL mechanism installed with some level of
security (such as DIGEST-MD5).

You may also be able to do:

ldapwhoami -Y EXTERNAL -H ldapi:/// -X u:jrambo

to test your mappings.

--
Dan White