On 12/14/12 03:26 +0400, Василий Молостов wrote:
Hi,
I have th following directive in the slapd.conf:
authz-regexp gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth ldapi:///ou=people,dc=local???(uidNumber=$2)
See slapd.conf(5).
'The protocol portion of the URI must be strictly ldap.'
You should replace your 'ldapi' with 'ldap'. The search is actually internal anyway.
but server is unable to fetch (slap_sasl2dn: Converted SASL name to <nothing>)
here is trace output (slapd -d 2177 -h "ldapi:/// ldaps:/// ldap:///"):
50ca62b8 >>> dnPrettyNormal: <> 50ca62b8 <<< dnPrettyNormal: <>, <> 50ca62b8 do_bind: dn () SASL mech EXTERNAL 50ca62b8 ==>slap_sasl2dn: converting SASL name gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth to a DN 50ca62b8 ==> rewrite_context_apply [depth=1] string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth' 50ca62b8 ==> rewrite_rule_apply rule='gidNumber=([^0][0-9]+).uidNumber=([^0][0-9]+),cn=peercred,cn=external,cn=auth' string='gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth' [1 pass(es)] 50ca62b8 ==> rewrite_context_apply [depth=1] res={0,'ldapi:///ou=people,dc=local??sub?(uidNumber=1000)'} 50ca62b8 slap_parseURI: parsing ldapi:///ou=people,dc=local??sub?(uidNumber=1000) ldap_url_parse_ext(ldapi:///ou=people,dc=local??sub?(uidNumber=1000)) 50ca62b8 <==slap_sasl2dn: Converted SASL name to <nothing> 50ca62b8 SASL Authorize [conn=1001]: proxy authorization allowed authzDN="" 50ca62b8 send_ldap_sasl: err=0 len=-1 50ca62b8 do_bind: SASL/EXTERNAL bind: dn="gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth" sasl_ssf=0 50ca62b8 send_ldap_response: msgid=1 tag=97 err=0
Direct sasl authz mapping works fine, but URI does not, what's wrong with this stuff?
How I can check URI correctness for slapd or get tracing info from ldap_url_parse_ext/slap_sasl2dn about why they returned nothing?
With wich access rights slapd does its internal query ? How to configure them ?
Also addressed in the manpage:
'Note that this search is subject to access controls. Specifically, the authentication identity must have "auth" access in the subject.'