[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)
> -----Original Message-----
> From: Michael Torrie [mailto:torriem@cs.byu.edu]
> On Thu, 2002-04-18 at 07:23, Howard Chu wrote:
>
> > The rootpw config has nothing to do with SASL. In the 2.0.x
> release the only
> > valid DNs for a SASL bind are of the form "uid=<username> +
> realm=<realm>"
> > If you want "ldapadmin@REALM" to be treated as your server root then you
> > need to
> > configure
> > rootdn "uid=ldapadmin + realm=REALM"
>
> Followup guestion. Since the userPassword field is obviously bogus
> (unused) since we don't do a simple bind, how do I configure OpenLDAP to
> only allow certain principals to bind as an arbitrary user? I read
> something a while back about an attribute that could specify multipal
> principals, but it used a now depricated ObjectClass. Basically can I
> do something that's the same effect as .k5login on binding to ldap? Do
> I need to do special things in my LDAP acls? (I imagine so.)
Your question isn't very clear to me, but I'll take a stab at it.
In OpenLDAP 2.0, SASL principals cannot bind as arbitrary users. They bind
as themselves only, and their names are in the DN form I gave above. Your
ACLs need to control access based on those DNs.
In version 2.1 the SASL DN format is changed, and support is added for a
SASL principal to bind as some other user. But since you're not using 2.1
yet, the feature doesn't apply to you.
To give you a taste of what's coming: the OpenLDAP 2.1 SASL DN format is
uid=<user>, cn=<realm>, cn=<sasl-mechanism>, cn=AUTH
where user, realm, and sasl-mechanism are replaced by the actual values, and
cn=AUTH is a constant.
The exception to this is in SASL EXTERNAL with TLS, where the DN from the
user's certificate is used directly as the SASL DN.
Also, in 2.1 there is a sasl-regexp directive that defines rules to map the
above SASL DNs to any other form. As a very simple example, I use this rule:
sasl-regexp "uid=\(.*\),cn=symas.com,cn=gssapi,cn=auth"
"cn=$1,ou=personnel,o=symas corp.,c=us"
This would map my Kerberos login hyc@symas.com to
cn=hyc,ou=personnel,o=symas corp.,c=us
The DN mapping feature can perform its own LDAP search to resolve names,
which makes it very powerful. I could use this rule instead:
sasl-regexp "uid=\(.*\),cn=symas.com,cn=gssapi,cn=auth"
"ldap:///ou=personnel,o=symas corp.,c=us??sub?cn=$1"
For a Kerberos login hyc@symas.com this would return the entry that matches
"cn=hyc" and use that entry's DN. On my directory, this would return
cn=Howard Chu,ou=personnel,o=symas corp.,c=us
Which coincidentally :) happens to also be the DN in my SSL certificate...
(Naturally the above search works because my entry contains "hyc" as one of
the values of the cn attribute.)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support