--On Thursday, January 14, 2021 10:27 PM +0000 gary.algier@mavenir.com wrote:
I have this in slapd.conf: authz-regexp uid=([^,]*).*,cn=auth cn=$1,dc=old-domain,dc=Com
When I run: slapauth ServiceAccount@old-domain.com
Does anyone have any ideas why SLAPD does not translate? Or do I need to turn on a "allow non-DNs" switch? Or is it actually the ldapsearch command that is complaining. If the latter, is there a way to test?
From the man page:
authz-regexp <match> <replace> Used by the authentication framework to convert simple user names, such as provided by SASL subsystem, or extracted from certificates in case of cert-based SASL EXTERNAL, or provided within the RFC 4370 "proxied authorization" control, to an LDAP DN used for authorization purposes.
It does not appear to me that you are using a SASL mechanism or the proxied authorization control, but a direct simple bind. Thus the authz-regexp will not fire. Additionally, your users is clearly not binding as "...,cn=auth" so it would never match the authz-regexp you've defined.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com