[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on GSSAPI-authentication

To: OpenLDAP <OpenLDAP-software@OpenLDAP.org>
Subject: Re: Question on GSSAPI-authentication
From: Dieter Kluenter <dieter@incode.com>
Date: 28 Aug 2002 21:39:50 +0200
In-reply-to: <3D6B8854.343A94A3@gmx.de>
References: <3D6B8854.343A94A3@gmx.de>

Hello Harry,

Am Die, 2002-08-27 um 16.10 schrieb Harry Rüter:
> Hi everybody,
> 
> i have question on the GSSAPI-implementation
> in v2.1.x (or maybe in how SASL/GSSAPI works).
> 
> Suppose i have the following access-rule 
> 
> ---snipp---
> access to attr=uid
>    by dn="uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth" read
>    by self write
>    by * read
> ---snipp---
> and the saslregexp :
> 
> ---snipp---
> saslRegexp
>   uid=.*,cn=HRNET.DE,cn=GSSAPI,cn=auth
>   uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de
> ---snipp---
> 
> Now, what happens when ldapreplicator,
> who is ldapreplicator@HRNET.DE wants to authenticate ?
> 
> Is it :
> 
>   ldapreplicator@HRNET.DE
> translated to
>   uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth
> and then (via saslRegexp) translated to
>   uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de


Quite frankly, that depends on the principal of ldapcreator. If the
principal ist ldapcreator@HRNET.DE
authorization of SASL/GSSAPI is "uid=ldapcreator,cn=GSSAPI,cn=auth"
Your saslRegexp in slapd.conf should read

saslRegexp
	uid=(.*),cn=GSSAPI,cn=auth
	uid=$1,ou=ldap,o=myorganization,dc=hrnet,dc=de

slapd would normalise "uid=ldapcreator,cn=GSSAPI,cn=auth" to
"uid=ldapcrator,ou=ldap,o=myorganization,dc=hrnet,dc=de"

-Dieter

 
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter@schevolution.com
http://www.schevolution.com/tour

References:
- Question on GSSAPI-authentication
  - From: Harry Rüter <harry_rueter@gmx.de>

Prev by Date: Re: Newbie help with ldapadd
Next by Date: SoftTerra ldap browser
Index(es):
- Chronological
- Thread