[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and simple binds using same password database?
Turbo Fredriksson wrote:
Among user's attributes (I was missing krb5PrincipalName that search
in sasl-regexp looks for):
userPassword: {SASL}username@EXAMPLE.COM
krb5PrincipalName: username@EXAMPLE.COM
Well, this was my initial design 'a long time ago' when slapd wasn't as
evolved as it is now (and sasl-regexp didn't exists). But, from the top
of my head, you SHOULD be able to do without the 'krb5PrincipalName'
and it's object class...
I came to same conclusion later in a day (after some thinking and
experimenting).
Something like this should do it (also look at the rest of the thread -
the sasl-regexp is case insensitive):
sasl-regex
uid=(.*),cn=(.*),cn=gssapi,cn=auth
ldap:///ou=accts,dc=example,dc=com??sub(userPassword=\{SASL\}$1@$2)
This will support your multiple realms (as long as domain and realm
matches!)
Hm, no it wouldn't - unless you find a way to extract 'example' and 'com'
as two separate entities (for use instead of 'dc=example,dc=com'). I
know it's possible to do this (I've seen it done), but I have no
idea how to do it...
It would work for me, since my LDAP directory organization doesn't need
to match AD domain organization. All I need is a way to match LDAP DN
to Kerberos principal for password checking, and "userPassword:
{SASL}user@REALM" will do exactly that. However, in case where they do
match, something like this should work (I haven't tested it, but this is
valid regexp):
sasl-regex
uid=([^,]*),cn=([^.]*)\.([^,]*),cn=[^,]*,cn=auth
ldap:///ou=accts,dc=$2,dc=$3??sub(userPassword=\{SASL\}$1@$2.$3)
(above assumes you make sure there's no ',' chars in uid and cn attributes).
The above is from the head, it might contain typos, however it
demonstrates the general idea.
It will match 2 level domain name only (example.com). You can add more
of them for 3, 4, or more level domains in any order you wish (only one
will match).
Of course, one can always go the easy route and match the uid to uid ;-)
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7