[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapwhoami translate sasl-name to dn

To: Stefan Kania <stefan@kania-online.de>, openldap-technical@openldap.org
Subject: Re: ldapwhoami translate sasl-name to dn
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 23 Dec 2019 09:40:59 +0100
Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= mQENBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAG0J01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPokBNwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIuQENBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAGJAR8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
Content-language: en-US
In-reply-to: <3a67a460-1088-9f1e-828d-b42560ebb64f@kania-online.de>
References: <3a67a460-1088-9f1e-828d-b42560ebb64f@kania-online.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.0

On 12/20/19 8:54 PM, Stefan Kania wrote:
> I would like to get the original DN from the user not the
> dn:*,cn=gssapi,cn=auth. So I put into my configuration:
> -----------------
> olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth
> ldap:///dc=example,dc=net??sub?(uid=$1)
> -----------------

Looks correct to me.

> Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to
> "dc=example,dc=net" "entry" requested
> [..]
> Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth
> access denied by none(=0)
> [..]
> When I add the rule:
> -----------------
> olcAccess: {1}to *  by * read
> -----------------
> ldapwhoami is working like I expected it:

anonymous needs auth access to the entries and attributes used for
authz-regexp mappings.

At minimum:

access to
  dn.subtree="dc=example,dc=net"
  attrs=entry,uid
    by anonymous auth

Access control is complex. YMMV. So don't use exactly these ACLs because
they will block other access you need.

Ciao, Michael.

Follow-Ups:
- Re: ldapwhoami translate sasl-name to dn
  - From: Stefan Kania <stefan@kania-online.de>

References:
- ldapwhoami translate sasl-name to dn
  - From: Stefan Kania <stefan@kania-online.de>

Prev by Date: ldapwhoami translate sasl-name to dn
Next by Date: ldap_bind: Invalid credentials at LDAPADD step in the QuickStart Guide
Index(es):
- Chronological
- Thread