[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd does not include cn=realm in mapping kerberos entries.



Hi,
  Upon reading administrator's guide it says that:

"For the purposes of authentication and authorization,
slapd(8) associates a non-mapped authentication
request DN of the form:
       
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth

Continuing our example, a user with the Kerberos
principal kurt@EXAMPLE.COM would have the associated
DN:
        uid=kurt,cn=example.com,cn=gssapi,cn=auth"


But looking at my debug.log:

do_sasl_bind: dn () mech GSSAPI
Jun 27 09:39:08 gaheris slapd[737]: SASL Canonicalize
[conn=2]: authcid="matato"
Jun 27 09:39:08 gaheris slapd[737]: slap_sasl_getdn:
u:id converted to uid=matato,cn=GSSAPI,cn=auth
Jun 27 09:39:08 gaheris slapd[737]: >>> dnNormalize:
<uid=matato,cn=GSSAPI,cn=auth>
Jun 27 09:39:08 gaheris slapd[737]: <<< dnNormalize:
<uid=matato,cn=gssapi,cn=auth>
Jun 27 09:39:08 gaheris slapd[737]: ==>slap_sasl2dn:
converting SASL name uid=matato,cn=gssapi,cn=auth to a
DN
Jun 27 09:39:08 gaheris slapd[737]: SASL proxy
authorize [conn=2]: authcid="matato" authzid="matato"
Jun 27 09:39:08 gaheris slapd[737]: conn=2 op=3 BIND
authcid="matato"
Jun 27 09:39:08 gaheris slapd[737]: SASL Authorize
[conn=2]:  proxy authorization allowed
Jun 27 09:39:08 gaheris slapd[737]: send_ldap_sasl:
dn="uid=matato,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
SASL/GSSAPI bind: dn="uid=matato,cn=gssapi,cn=auth"
ssf=56

My kerberos principal is matato@CAMLANN.PREGI.NET, so
it should map as:

uid=matato,cn=camlann.pregi.net,cn=gssapi,cn=auth

Any idea why it didn't include the 'cn=realm'?
I haven't used any access control based on sasl bind
yet, but I'm just worried that I might have some
problems in the future regarding the use of kerberos
realms in my authentication.


Thanks.




		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com