From: Donn Cave <donn@u.washington.edu>
To: openldap-software@OpenLDAP.org
Subject: Re: Ldap kerberos ticket - GSSAPI
Date: Tue, 29 Mar 2005 16:43:45 -0800
On Tuesday, March 29, 2005, at 04:22 PM, Manel Euro wrote:
(quoting me)
From your sasl-regexp it isn't clear to me what you want, but logically
I think it follows that if you want principals who are represented in
the
directory to have similar DNs to those who are not, then you must want
them all in the form of the first one who was not in there, not the
second.
With my sasl-regexp I map my GSSAPI ids
(<uid=testUser,cn=EXAMPLE.NET,cn=GSSAPI,cn=auth>) to my directory DNs
(test user exists as <uid=testUser,dn=example,,dn=net>).
If I have understood well, I can use Ldap and Kerberos in two ways:
1st- SASL/gssapi
2nd- pass throught authentication - userPASSWORD: {sasl}user@REALM-COM and
saslauthd
I am using the first one. So, in this method when the kerberos ticket is
presented to the slapd, slapd maps this kerberos principal to the
*corresponding* directory DN. On this case, the principal
testePac@EXAMPLE.NET does not have an entry on the directory. Therefore,
according to what I have understood, this user shout not get a Kerberos
TGS to LDAP.
No - if you mean TGT (ticket granting ticket) - this user must get a TGT,
because
in fact that's how it got here. It authenticates to the LDAP service, and
then
we know who it is and what it's authorized to do. That analysis can't be
done
without authentication first, and the TGT is issued for authentication.
(Moreover,
it isn't even issued by the LDAP server, but rather by the Kerberos KDC,
but I take
it your concern at the moment has less to do with the TGT itself and more
with the
way the authenticated user is handled by the LDAP service.)