[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap kerberos ticket - GSSAPI



Manel Euro wrote:

Hi,
I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is working ok . However, I was doing some testing and found the following situation.


When a Kerberos principal, not represented on the ldap directory, runs the command ldapwhoami I get:

SASL/GSSAPI authentication started
SASL username: testePac@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth

when a principal which is also on the directoyr tree runs ldapadmin I get:

SASL/GSSAPI authentication started
SASL username: testeF@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net


So, I see that the dns are different. However, on both situation I get a kerberos TGS ticket for LDAP.


How can I avoid this happening?

sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))


ACLS:

access to *
  by self write
  by users read
  by anonymous read


when the user gets there, it's already authenticated, and you're supposed to trust the GSSAPI mech. Of course, it's up to the admin to give specific privileges to users that exist in the directory as opposed to those that authenticate but do not exist in the directory. What you should do is give privileges only to __authorized__users, i.e. those that do not authorize (pass sasl-regexp phase), and thus have a DN ending with "cn=auth", could be treated as anonymous. You can obtain this by means of ACLs, e.g.

access to *
   by dn.subtree="cn=auth" none
   by self write
   by * read

Note, in fact, that in your example you make no distinction between users and anonymous, since you grant both read access, so you shouldn't even notice the problem, and your ACL could be

access to *
   by self write
   by * read

since I don't see why you should give auth'd users not present in the directory less privileges than anonymous.

p.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497