HI!
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change?
Ciao, Michael.
Michael Ströder wrote:
HI!
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change?
Ciao, Michael.
Can you paste them?
Gavin Henry wrote:
Michael Ströder wrote:
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change?
Can you paste them?
I've prepared a simplified slapd.conf and a LDIF file (both attached) for this particular migration issue.
Take note of this:
authz-regexp "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth" "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)" [..] access to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local" by * auth
See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):
----------------------------- snip ----------------------------- $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003" -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started SASL username: michael SASL SSF: 128 SASL data security layer installed. dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004" -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) m ----------------------------- snip -----------------------------
If I grant auth access to the database root entry ou=authz-test,dc=stroeder,dc=local it works (see comment of this particular ACL in attached slapd.conf). With RE23 it also works without this ACL!
Ciao, Michael.
include /opt/openldap-RE24/etc/openldap/schema/core.schema include /opt/openldap-RE24/etc/openldap/schema/cosine.schema
# Define global ACLs to disable default read access.
pidfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.pid argsfile /home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.args
modulepath /opt/openldap-RE24/libexec/openldap
moduleload back_hdb.la
authz-regexp "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth" "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
database hdb
suffix "ou=authz-test,dc=stroeder,dc=local" directory /home/michael/temp/openldap-authzto-testbed/RE24/data
# Index-Konfiguration index objectClass,uid eq
sizelimit -1
# User entries # ------------------------
access to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local" by * auth
# Why the hell is this ACL needed for SASL Bind with authz-regexp with OpenLDAP 2.4? access to dn.base="ou=authz-test,dc=stroeder,dc=local" by * auth
Michael Ströder wrote:
Gavin Henry wrote:
Michael Ströder wrote:
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs.
With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change?
Can you paste them?
I've prepared a simplified slapd.conf and a LDIF file (both attached) for this particular migration issue.
As requested I've files an ITS for that:
http://www.openldap.org/its/index.cgi?findid=5400
Ciao, Michael.
openldap-software@openldap.org