--On Thursday, January 14, 2021 10:27 PM +0000 [email protected]
wrote:
I have this in slapd.conf:
authz-regexp uid=([^,]*).*,cn=auth cn=$1,dc=old-domain,dc=Com
When I run:
slapauth [email protected]
Does anyone have any ideas why SLAPD does not translate? Or do I need
to turn on a "allow non-DNs" switch? Or is it actually the ldapsearch
command that is complaining. If the latter, is there a way to test?
From the man page:
authz-regexp <match> <replace>
Used by the authentication framework to convert simple
user
names, such as provided by SASL subsystem, or extracted
from
certificates in case of cert-based SASL EXTERNAL, or
provided
within the RFC 4370 "proxied authorization" control, to an
LDAP
DN used for authorization purposes.
It does not appear to me that you are using a SASL mechanism or the proxied
authorization control, but a direct simple bind. Thus the authz-regexp
will not fire. Additionally, your users is clearly not binding as
"...,cn=auth" so it would never match the authz-regexp you've defined.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
