Hi, I face a strange behaviour of a authz regexp. This is part of my slapd.conf
authz-regexp "gidNumber=(.*)+uidNumber=(.*),cn=peercred,cn=external,cn= auth" "ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub "(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de result: 0 Success
This regexp has been working for ages, in fact it hasn't been changed since Ando's first announcement.
Any idea what might have been changed?
-Dieter
On 4/14/19 4:43 PM, Dieter Kluenter wrote:
I face a strange behaviour of a authz regexp. This is part of my slapd.conf
authz-regexp "gidNumber=(.*)+uidNumber=(.*),cn=peercred,cn=external,cn= auth" "ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub "(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de result: 0 Success
This regexp has been working for ages, in fact it hasn't been changed since Ando's first announcement.
Any idea what might have been changed?
Any change in your ACLs?
Maybe an ACL is now blocking auth access to entry 'cn=Dieter Kluenter,ou=Partner,o=avci,c=de'.
Ciao, Michael.
"Dieter Kluenter" dieter@dkluenter.de writes:
Hi, I face a strange behaviour of a authz regexp. This is part of my slapd.conf
authz-regexp "gidNumber=(.*)+uidNumber=(.*),cn=peercred,cn=external,cn= auth" "ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub "(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de result: 0 Success
This sequence looks a bit strange: ... 5cb44468 connection_read(16): checking for input on id=1000 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x7f4fa41040a0 ptr=0x7f4fa41040a0 end=0x7f4fa41040a5 len=5 0000: 02 01 03 42 00 ...B. 5cb44468 op tag 0x42, time 1555317864 ber_get_next ldap_read: want=8, got=0 ...
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Michael Ströder