See bellow.
I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is working ok . However, I was doing some testing and found the following situation.
When a Kerberos principal, not represented on the ldap directory, runs the command ldapwhoami I get:
SASL/GSSAPI authentication started SASL username: testePac@EXAMPLE.NET SASL SSF: 56 SASL installing layers dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth
when a principal which is also on the directoyr tree runs ldapadmin I get:
SASL/GSSAPI authentication started SASL username: testeF@EXAMPLE.NET SASL SSF: 56 SASL installing layers dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net
So, I see that the dns are different. However, on both situation I get a kerberos TGS ticket for LDAP.
How can I avoid this happening?
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth ldap:/// dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))
From your sasl-regexp it isn't clear to me what you want, but logically
I think it follows that if you want principals who are represented in the
directory to have similar DNs to those who are not, then you must want
them all in the form of the first one who was not in there, not the second.
If I have understood well, I can use Ldap and Kerberos in two ways:
If that's true, then I think you should use a simpler sasl-regexp, likeI am using version 2.2.24 and cyrus-sasl 2.1.19. The cn=realm predicate is working.
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth uid=$1,cn=example.net,cn=gssapi,cn=auth
(I'm assuming that the predicate has been working for you - in the version
I'm using, GSSAPI authentications from my own realm are uid=x,cn=gssapi,... -
not uid=x,cn=realm,cn=gssapi,... And if you're dealing with external realms it
might be a good idea to put them somewhere in the result DN, as I did not do
above.)
Thanks for your help.
M.
Donn Cave, donn@u.washington.edu