Hello, I was wondering if it is a known issue that when using sasl authorization combined with the rewrite module, one doesn't have access to either the binddn or the authz dn. The rewrite context bindDN is only called when the client supplies a DN in the simple-bind fashion (-D when using ldapsearch).
But if one uses a sasl mechanism (in order to use proxy auth for example) then the binding will happen with the result of the authz-regexp rewrite but this is not in a context of slapo-rwm, whose bindDN context sees whatever, if any, arbitrary bind DN the request contained (for example through -D).
Additionally there is no context regarding the authorization DN, which is pretty much a necessity if you plan on using authFrom and have remapped the dit.
Thank you, Kostas Koukopoulos
----- "Konstantinos Koukopoulos" kouk+Lists.openldap@noc.uoa.gr wrote:
Hello, I was wondering if it is a known issue that when using sasl authorization combined with the rewrite module, one doesn't have access to either the binddn or the authz dn. The rewrite context bindDN is only called when the client supplies a DN in the simple-bind fashion (-D when using ldapsearch).
But if one uses a sasl mechanism (in order to use proxy auth for example) then the binding will happen with the result of the authz-regexp rewrite but this is not in a context of slapo-rwm, whose bindDN context sees whatever, if any, arbitrary bind DN the request contained (for example through -D).
Additionally there is no context regarding the authorization DN, which is pretty much a necessity if you plan on using authFrom and have remapped the dit.
Yes, it is a known issue. When slapo-rwm was first designed, however, it could only be stacked on top of a database, so it would have been bypassed by SASL bind anyway. However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly modifying the authz-regexp in the first place.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
Yes, it is a known issue. When slapo-rwm was first designed, however, it could only be stacked on top of a database, so it would have been bypassed by SASL bind anyway.
Would that still be the case if internal auxprop authentication was used? In that case I think that a SASL bind would result in an internal search op being performed. The problem then on the slapo-rwm level is how to distinguish between the search performed in order to complete the SASL bind and other searches.
However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly modifying the authz-regexp in the first place.
The downside of using authz-regexp is that it seems you cannot assign a variable with the '${&&name(value)}' syntax and make it available to the other rewrite contexts using '${**name}'. If authz-regexp was somehow integrated with slapo-rwm then there wouldn't be a problem.
----- "Konstantinos Koukopoulos" kouk+Lists.openldap@noc.uoa.gr wrote:
On Thursday 24 July 2008 19:07:38 Pierangelo Masarati wrote:
Yes, it is a known issue. When slapo-rwm was first designed,
however, it
could only be stacked on top of a database, so it would have been
bypassed
by SASL bind anyway.
Would that still be the case if internal auxprop authentication was used? In that case I think that a SASL bind would result in an internal search op being performed. The problem then on the slapo-rwm level is how to distinguish between the search performed in order to complete the SASL bind and other searches.
However, it is not clear (to me) why one should rewrite a DN resulting from a authz-regexp instead of directly
modifying
the authz-regexp in the first place.
The downside of using authz-regexp is that it seems you cannot assign a variable with the '${&&name(value)}' syntax and make it available to the other rewrite contexts using '${**name}'. If authz-regexp was somehow
integrated with slapo-rwm then there wouldn't be a problem.
Well, authz-regexp uses exactly the same utility of slapo-rwm. However, the two rewrites belong to independent sessions. Probably, slapd should allow cross-session variable population to yield the capability you're looking for. This requires some work at the librewrite level. Please file an ITS for a feature request in this sense.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Friday 25 July 2008 12:56:08 Pierangelo Masarati wrote:
Well, authz-regexp uses exactly the same utility of slapo-rwm. However, the two rewrites belong to independent sessions. Probably, slapd should allow cross-session variable population to yield the capability you're looking for. This requires some work at the librewrite level. Please file an ITS for a feature request in this sense.
Perhaps an alternative solution instead of cross-session variables would be to first make sasl_authz_regexp use a session based on the connection and then make slapo-rwm aware of the sasl_rwinfo structure in a way that slapo-rwm would use the same session as sasl_authz_regexp per connection and the session variables would be shared. If that's a possibility I could file an ITS for a feature request mentioning both solutions.
On Friday 25 July 2008 13:55:46 Konstantinos Koukopoulos wrote:
On Friday 25 July 2008 12:56:08 Pierangelo Masarati wrote:
Well, authz-regexp uses exactly the same utility of slapo-rwm. However, the two rewrites belong to independent sessions. Probably, slapd should allow cross-session variable population to yield the capability you're looking for. This requires some work at the librewrite level. Please file an ITS for a feature request in this sense.
Perhaps an alternative solution instead of cross-session variables would be to first make sasl_authz_regexp use a session based on the connection and then make slapo-rwm aware of the sasl_rwinfo structure in a way that slapo-rwm would use the same session as sasl_authz_regexp per connection and the session variables would be shared. If that's a possibility I could file an ITS for a feature request mentioning both solutions.
I filed the ITS here: http://www.openldap.org/its/index.cgi?findid=5630
I filed the ITS here: http://www.openldap.org/its/index.cgi?findid=5630
Thanks, although I won't probably be able to work at that for a while.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-software@openldap.org
-
Konstantinos Koukopoulos -
Pierangelo Masarati