[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with Kerberos SASL bind to LDAP

To: Graeme Mathieson <mathie+openldap-software@wossname.org.uk>
Subject: Re: Problems with Kerberos SASL bind to LDAP
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 20 Oct 2001 19:59:01 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20011018173018.B412@mathie.cx>

At 09:30 AM 2001-10-18, Graeme Mathieson wrote:
>I'm currently trying to build a whole new authentication and user
>database system.  I'm using OpenLDAP (2.0.14) to store all the various
>bits and pieces about the users and Kerberos (MIT 1.2.2) to do all the
>authentication.  I've got bits and pieces working nicely.  So far, so
>good.
>
>I was about to describe how I was having a couple of issues, but I think
>I've just had an epiphany.  When you're doing a SASL bind, the
>authentication id is your Kerberos principal, correct?  And the
>authorization id is the DN you want to bind as, right?

In 2.0, the client (user) should not specify a authorization
identity as the server doesn't support proxy authorization.
The server will derive an appropriate authorization identity
from the authentication identity.

>If so, that neatly brings me onto the second issue.  How do I associate
>a particular kerberos principal with a particular DN?

In 2.0, you let the server map the authentication identity
to an authorization identity and then base ACLs on this.

>I currently get
>from the server:
>
>SASL Authorize [conn=5]: "ldapadm" as \
>  "dn:cn=ldapadm,ou=People,dc=wossname,dc=org,dc=uk" disallowed. No \
>  policy.

2.0 doesn't support proxy authorization. 

>when I attempt to bind with something along the lines of:
>
>drusilla:/var/tmp/openssl-0.9.6a# ldapsearch -X \
>  dn:"cn=ldapadm,ou=People,dc=wossname,dc=org,dc=uk" \
>  -H ldap://ldap.wossname.org.uk/ -ZZ -s base -b "" supportedSASLMechanisms
>
>However, if I try with:
>
>drusilla:/var/tmp/openssl-0.9.6a# ldapsearch -X ldapadm
>  -H ldap://ldap.wossname.org.uk/ -ZZ -s base -b "" supportedSASLMechanisms
>
>it works OK.  If I try *anything* else with as the authorization id
>(including ldapadm@WOSSNAME.ORG.UK), it fails in the same way as
>above.

Yes.

>Another thing I've noticed ... I've been following the howto at
>http://www.bayour.com/LDAPv3-HOWTO.html which has proved to be
>particularly helpful.  However, I'm having trouble with the following
>access stanza in slapd.conf:
>
>access to *
>        by dn="cn=admin,ou=People,dc=wossname,dc=org,dc=uk" write
>        by dn="uid=ldapadm.+\+realm=WOSSNAME.ORG.UK" write
>        by * read
>
>I don't get the second 'by dn=...' line.  Would somebody care to explain
>it?

That regex is matching a subject DN of the form generated through
SASL authentication.

>Having played around, I've discovered that it doesn't match my bind
>against the database above which successfully binds.  If I reduce it to
>
>access to *
>        ...
>        by dn="uid=ldapadm" write
>        ...
>
>it does work.

>This probably doesn't make much sense.  I'm currently way out of my
>depth with trying to understand all this.  Any help would be greatly
>appreciated.

The form of the SASL authorization identities in 2.0 is:
        uid=USER[,realm=REALM]

Your configuration is such that there is no REALM visible to
slapd.

References:
- Problems with Kerberos SASL bind to LDAP
  - From: Graeme Mathieson <mathie+openldap-software@wossname.org.uk>

Prev by Date: Re: pre-evaluating write ACL
Next by Date: RE: subquery performance problem
Index(es):
- Chronological
- Thread