7:43 a.m.
Hi,
I face a strange behaviour of a authz regexp. This is part of my
slapd.conf
authz-regexp "gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn= auth"
"ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started
SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search
ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub
"(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de
result: 0 Success
This regexp has been working for ages, in fact it hasn't been changed
since Ando's first announcement.
Any idea what might have been changed?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
2:40 p.m.
On 4/14/19 4:43 PM, Dieter Kluenter wrote:
I face a strange behaviour of a authz regexp. This is part of my
slapd.conf
authz-regexp "gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn= auth"
"ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started
SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search
ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub
"(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de
result: 0 Success
This regexp has been working for ages, in fact it hasn't been changed
since Ando's first announcement.
Any idea what might have been changed?
Any change in your ACLs?
Maybe an ACL is now blocking auth access to entry
'cn=Dieter Kluenter,ou=Partner,o=avci,c=de'.
Ciao, Michael.
1:48 a.m.
"Dieter Kluenter" <dieter(a)dkluenter.de> writes:
Hi,
I face a strange behaviour of a authz regexp. This is part of my
slapd.conf
authz-regexp "gidNumber=(.*)\+uidNumber=(.*),cn=peercred,cn=external,cn= auth"
"ldap:///o=avci,c=de?dn?sub?(&(uidNumber=$2)(gidNumber=$1))"
The result of a ldapwhoami:
SASL/EXTERNAL authentication started
SASL username: gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn:gidNumber=100+uidNumber=1000,cn=peercred,cn=external,cn=auth
A result of search
ldapsearch -Y EXTERNAL -H ldapi:/// -b o=avci,c=de -s sub
"(&(gidNumber=100)(uidNumber=1000))" dn
dn: cn=Dieter Kluenter,ou=Partner,o=avci,c=de
result: 0 Success
This sequence looks a bit strange:
...
5cb44468 connection_read(16): checking for input on id=1000
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x7f4fa41040a0 ptr=0x7f4fa41040a0 end=0x7f4fa41040a5 len=5
0000: 02 01 03 42 00 ...B.
5cb44468 op tag 0x42, time 1555317864
ber_get_next
ldap_read: want=8, got=0
...
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
1696
days inactive
1697
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Dieter Kluenter -
Michael Ströder