[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd does not include cn=realm in mapping kerberos entries.
- To: openldap-software@OpenLDAP.org
- Subject: slapd does not include cn=realm in mapping kerberos entries.
- From: jay alvarez <ldapb0y@yahoo.com>
- Date: Sun, 26 Jun 2005 18:59:58 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=cbs4EsAFkJCY9t+0tQIkhbs68YvJ2RwBCMPCrrnH5Bi+DlP9cOSB+GbbsIEY2ubQ/gFgj9Eq9LVfpTYJCJ/SyrzJ3sgCzP1fynN0M7+R4tZR+nhz4khXMzbJiVNNQreui0f5evmkpPj1S/deL/X/8YVHg3iG78SkNJOjAWTSUDM= ;
Hi,
Upon reading administrator's guide it says that:
"For the purposes of authentication and authorization,
slapd(8) associates a non-mapped authentication
request DN of the form:
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
Continuing our example, a user with the Kerberos
principal kurt@EXAMPLE.COM would have the associated
DN:
uid=kurt,cn=example.com,cn=gssapi,cn=auth"
But looking at my debug.log:
do_sasl_bind: dn () mech GSSAPI
Jun 27 09:39:08 gaheris slapd[737]: SASL Canonicalize
[conn=2]: authcid="matato"
Jun 27 09:39:08 gaheris slapd[737]: slap_sasl_getdn:
u:id converted to uid=matato,cn=GSSAPI,cn=auth
Jun 27 09:39:08 gaheris slapd[737]: >>> dnNormalize:
<uid=matato,cn=GSSAPI,cn=auth>
Jun 27 09:39:08 gaheris slapd[737]: <<< dnNormalize:
<uid=matato,cn=gssapi,cn=auth>
Jun 27 09:39:08 gaheris slapd[737]: ==>slap_sasl2dn:
converting SASL name uid=matato,cn=gssapi,cn=auth to a
DN
Jun 27 09:39:08 gaheris slapd[737]: SASL proxy
authorize [conn=2]: authcid="matato" authzid="matato"
Jun 27 09:39:08 gaheris slapd[737]: conn=2 op=3 BIND
authcid="matato"
Jun 27 09:39:08 gaheris slapd[737]: SASL Authorize
[conn=2]: proxy authorization allowed
Jun 27 09:39:08 gaheris slapd[737]: send_ldap_sasl:
dn="uid=matato,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
SASL/GSSAPI bind: dn="uid=matato,cn=gssapi,cn=auth"
ssf=56
My kerberos principal is matato@CAMLANN.PREGI.NET, so
it should map as:
uid=matato,cn=camlann.pregi.net,cn=gssapi,cn=auth
Any idea why it didn't include the 'cn=realm'?
I haven't used any access control based on sasl bind
yet, but I'm just worried that I might have some
problems in the future regarding the use of kerberos
realms in my authentication.
Thanks.
____________________________________________________
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
http://football.fantasysports.yahoo.com