[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap kerberos ticket - GSSAPI



On Tuesday, March 29, 2005, at 01:50 PM, Manel Euro wrote:

I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is working ok . However, I was doing some testing and found the following situation.

When a Kerberos principal, not represented on the ldap directory, runs the command ldapwhoami I get:

SASL/GSSAPI authentication started
SASL username: testePac@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth

when a principal which is also on the directoyr tree runs ldapadmin I get:

SASL/GSSAPI authentication started
SASL username: testeF@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net


So, I see that the dns are different. However, on both situation I get a kerberos TGS ticket for LDAP.


How can I avoid this happening?

sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth ldap:/// dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))

From your sasl-regexp it isn't clear to me what you want, but logically
I think it follows that if you want principals who are represented in the
directory to have similar DNs to those who are not, then you must want
them all in the form of the first one who was not in there, not the second.


If that's true, then I think you should use a simpler sasl-regexp, like
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth uid=$1,cn=example.net,cn=gssapi,cn=auth


(I'm assuming that the predicate has been working for you - in the version
I'm using, GSSAPI authentications from my own realm are uid=x,cn=gssapi,... -
not uid=x,cn=realm,cn=gssapi,... And if you're dealing with external realms it
might be a good idea to put them somewhere in the result DN, as I did not do
above.)


	Donn Cave, donn@u.washington.edu