Hi,
I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is
working ok . However, I was doing some testing and found the following
situation.
When a Kerberos principal, not represented on the ldap directory, runs
the command ldapwhoami I get:
SASL/GSSAPI authentication started
SASL username: testePac@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth
when a principal which is also on the directoyr tree runs ldapadmin I
get:
SASL/GSSAPI authentication started
SASL username: testeF@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net
So, I see that the dns are different. However, on both situation I get
a kerberos TGS ticket for LDAP.
How can I avoid this happening?
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))
ACLS:
access to *
by self write
by users read
by anonymous read