I've setting up a new primary server and choosed 2.4 (HEAD) as server for that... Might not be a good idea to use 2.4 on a production environment, but... :)
Anyway, I set up a authz-regexp as I have on my 2.2 servers like this: ----- s n i p ----- authz-regexp uid=(.*),cn=bayour.com,cn=gssapi,cn=auth ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM ----- s n i p -----
Unfortunatly, ldapwhoami/slapd doesn't mapp this to my DN. An anonymous LDAP search will retreive my object correctly: ----- s n i p ----- root@rigel# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo@BAYOUR.COM dn SASL/GSSAPI authentication started SASL username: turbo@BAYOUR.COM SASL SSF: 56 SASL data security layer installed. dn: uid=turbo,ou=People,o=Fredriksson,c=SE root@rigel# ldapsearch -x -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo@BAYOUR.COM dn dn: uid=turbo,ou=People,o=Fredriksson,c=SE ----- s n i p -----
And ldapwhoami shows: ----- s n i p ----- root@rigel# ldapwhoami -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider SASL/GSSAPI authentication started SASL username: turbo@BAYOUR.COM SASL SSF: 56 SASL data security layer installed. dn:uid=turbo,cn=bayour.com,cn=gssapi,cn=auth ----- s n i p -----
Running slapd with '-d -1' shows this when it tries to map my ticket/authzID (?): ----- s n i p ----- [...] put_simple_filter: "krb5PrincipalName=turbo@BAYOUR.COM" begin get_filter EQUALITY [...] slap_sasl2dn: performing internal search (base=c=se, scope=2) => hdb_search bdb_dn2entry("c=se") => access_allowed: auth access to "c=SE" "entry" requested => dn: [1] => dn: [2] cn=log1 => dn: [3] cn=log1 => dn: [4] cn=monitor => dn: [5] cn=subschema => dn: [6] cn=config => acl_get: [8] attr entry => acl_mask: access to entry "c=SE", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dynacl <= check a_dynacl: aci <= aci_list_get_attr_rights test objectClass#public# for entry -> failed <= aci_list_get_attr_rights test objectClass#public# for [all] -> failed <= aci_list_get_attr_rights test userReference#public# for entry -> failed <= aci_list_get_attr_rights test userReference#public# for [all] -> failed <= aci_list_get_attr_rights test entry#public# for entry -> ok <= aci_list_get_attr_rights rights r,s,c;entry#public# to mask 0x39 <= aci_list_get_attr_rights test entry#public# for [all] -> failed <= aci_list_get_attr_rights test useControls#users# for entry -> failed <= aci_list_get_attr_rights test useControls#users# for [all] -> failed <= aci_list_get_attr_rights test useEzmlm#users# for entry -> failed <= aci_list_get_attr_rights test useEzmlm#users# for [all] -> failed <= aci_list_get_attr_rights test useBind9#users# for entry -> failed <= aci_list_get_attr_rights test useBind9#users# for [all] -> failed <= aci_list_get_attr_rights test useWebSrv#users# for entry -> failed <= aci_list_get_attr_rights test useWebSrv#users# for [all] -> failed <= aci_list_get_attr_rights test autoReload#users# for entry -> failed <= aci_list_get_attr_rights test autoReload#users# for [all] -> failed <= aci_list_get_attr_rights test allowServerChange#users# for entry -> failed <= aci_list_get_attr_rights test allowServerChange#users# for [all] -> failed <= aci_list_get_attr_rights test whoAreWe#users# for entry -> failed <= aci_list_get_attr_rights test whoAreWe#users# for [all] -> failed <= aci_list_get_attr_rights test language#users# for entry -> failed <= aci_list_get_attr_rights test language#users# for [all] -> failed <= aci_list_get_attr_rights test hostMaster#users# for entry -> failed <= aci_list_get_attr_rights test hostMaster#users# for [all] -> failed <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for entry -> failed <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for [all] -> failed <= aci_list_get_attr_rights test krb5RealmName#users# for entry -> failed <= aci_list_get_attr_rights test krb5RealmName#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminServer#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminServer#users# for [all] -> failed <= aci_list_get_attr_rights test krb5PrincipalName#users# for entry -> failed <= aci_list_get_attr_rights test krb5PrincipalName#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminKeytab#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminKeytab#users# for [all] -> failed <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for entry -> failed <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for [all] -> failed <= aci_list_get_attr_rights test controlBaseDn#users# for entry -> failed <= aci_list_get_attr_rights test controlBaseDn#users# for [all] -> failed <= aci_list_get_attr_rights test ezmlmAdministrator#users# for entry -> failed <= aci_list_get_attr_rights test ezmlmAdministrator#users# for [all] -> failed <= aci_list_get_attr_rights test controlsAdministrator#users# for entry -> failed <= aci_list_get_attr_rights test controlsAdministrator#users# for [all] -> failed <= aci_list_get_attr_rights test useACI#users# for entry -> failed <= aci_list_get_attr_rights test useACI#users# for [all] -> failed <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for entry -> failed <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for [all] -> ok <= aci_list_get_attr_rights rights w,r,s,c,x;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se to mask 0x37d <= aci_mask grant =rsc deny =0 <= acl_mask: [2] applying +rsc (stop) <= acl_mask: [2] mask: =rsc => slap_access_allowed: auth access denied by =rsc => access_allowed: no more rules ----- s n i p -----
So question number one is: why does it start in my suffix? And why does it fail, even though it succeeded in what it was looking for (attr 'entry')?
Oh, another thing that would be _nice_ (not that I need it now, but you never know :). The following authz-regexp don't work (because krb5Principalname is case sensitive - ?): ----- s n i p ----- authz-regexp uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///c=SE??sub?krb5PrincipalName=$1@$2 ----- s n i p -----
Any ideas on how to do this (without having multiple authz-regexp's)?