[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?

To: OpenLDAP Software <openldap-software@OpenLDAP.org>
Subject: Re: Kerberos and simple binds using same password database?
From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
Date: Thu, 30 Dec 2004 08:38:22 -0600
In-reply-to: <87zmzwwwd5.fsf@pumba.bayour.com>
References: <41D189DC.4030309@pbl.ca> <87k6r2xc3o.fsf@pumba.bayour.com> <41D2E15C.2060809@pbl.ca> <41D2F5C4.4090603@pbl.ca> <87zmzwwwd5.fsf@pumba.bayour.com>
User-agent: Mozilla Thunderbird 0.8 (X11/20041020)

Turbo Fredriksson wrote:

Among user's attributes (I was missing krb5PrincipalName that search
in sasl-regexp looks for):

userPassword: {SASL}username@EXAMPLE.COM
krb5PrincipalName: username@EXAMPLE.COM

Well, this was my initial design 'a long time ago' when slapd wasn't as
evolved as it is now (and sasl-regexp didn't exists). But, from the top
of my head, you SHOULD be able to do without the 'krb5PrincipalName'
and it's object class...

I came to same conclusion later in a day (after some thinking and experimenting).

Something like this should do it (also look at the rest of the thread -
the sasl-regexp is case insensitive):

sasl-regex
 uid=(.*),cn=(.*),cn=gssapi,cn=auth
 ldap:///ou=accts,dc=example,dc=com??sub(userPassword=\{SASL\}$1@$2)

This will support your multiple realms (as long as domain and realm
matches!)

Hm, no it wouldn't - unless you find a way to extract 'example' and 'com'
as two separate entities (for use instead of 'dc=example,dc=com'). I
know it's possible to do this (I've seen it done), but I have no
idea how to do it...

It would work for me, since my LDAP directory organization doesn't need to match AD domain organization. All I need is a way to match LDAP DN to Kerberos principal for password checking, and "userPassword: {SASL}user@REALM" will do exactly that. However, in case where they do match, something like this should work (I haven't tested it, but this is valid regexp):

sasl-regex
uid=([^,]*),cn=([^.]*)\.([^,]*),cn=[^,]*,cn=auth
ldap:///ou=accts,dc=$2,dc=$3??sub(userPassword=\{SASL\}$1@$2.$3)

(above assumes you make sure there's no ',' chars in uid and cn attributes).

The above is from the head, it might contain typos, however it demonstrates the general idea.

It will match 2 level domain name only (example.com). You can add more of them for 3, 4, or more level domains in any order you wish (only one will match).

Of course, one can always go the easy route and match the uid to uid ;-)

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

References:
- Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
- Re: Kerberos and simple binds using same password database?
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
- Re: Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
- Re: Kerberos and simple binds using same password database?
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Odd problem with open-ldap
Next by Date: Re: Odd problem with open-ldap
Index(es):
- Chronological
- Thread