[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd does not include cn=realm in mapping kerberos entries(pls ignore)

To: openldap-software@OpenLDAP.org
Subject: Re: slapd does not include cn=realm in mapping kerberos entries(pls ignore)
From: jay alvarez <ldapb0y@yahoo.com>
Date: Sun, 26 Jun 2005 19:10:31 -0700 (PDT)
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jsMRzlcZBrJwp/ydQjv8rDovBkWyz9oJnMqZQIJsI5+9z3ZbQ86HhQLZQGhic6mP3ab6iUpEMO689S0xx7IANEufN2PcqIQmL1QkkxPtLYnHBwV6gG4C5MfhhPoeiQgmSzrp+VRLULrrANgBoTaIK4BQ/fVRs258wlph/uyowQw= ;

hehe, please delete my previous post. I got the docs
here:
http://www.openldap.org/doc/admin22/sasl.html#Mapping
Authentication identities to LDAP entries

Sorry very much.:)

--- jay alvarez <ldapb0y@yahoo.com> wrote:

> Hi,
>   Upon reading administrator's guide it says that:
> 
> "For the purposes of authentication and
> authorization,
> slapd(8) associates a non-mapped authentication
> request DN of the form:
>        
>
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
> 
> Continuing our example, a user with the Kerberos
> principal kurt@EXAMPLE.COM would have the associated
> DN:
>         uid=kurt,cn=example.com,cn=gssapi,cn=auth"
> 
> 
> But looking at my debug.log:
> 
> do_sasl_bind: dn () mech GSSAPI
> Jun 27 09:39:08 gaheris slapd[737]: SASL
> Canonicalize
> [conn=2]: authcid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: slap_sasl_getdn:
> u:id converted to uid=matato,cn=GSSAPI,cn=auth
> Jun 27 09:39:08 gaheris slapd[737]: >>> dnNormalize:
> <uid=matato,cn=GSSAPI,cn=auth>
> Jun 27 09:39:08 gaheris slapd[737]: <<< dnNormalize:
> <uid=matato,cn=gssapi,cn=auth>
> Jun 27 09:39:08 gaheris slapd[737]: ==>slap_sasl2dn:
> converting SASL name uid=matato,cn=gssapi,cn=auth to
> a
> DN
> Jun 27 09:39:08 gaheris slapd[737]: SASL proxy
> authorize [conn=2]: authcid="matato"
> authzid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: conn=2 op=3 BIND
> authcid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: SASL Authorize
> [conn=2]:  proxy authorization allowed
> Jun 27 09:39:08 gaheris slapd[737]: send_ldap_sasl:
> dn="uid=matato,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
> SASL/GSSAPI bind: dn="uid=matato,cn=gssapi,cn=auth"
> ssf=56
> 
> My kerberos principal is matato@CAMLANN.PREGI.NET,
> so
> it should map as:
> 
> uid=matato,cn=camlann.pregi.net,cn=gssapi,cn=auth
> 
> Any idea why it didn't include the 'cn=realm'?
> I haven't used any access control based on sasl bind
> yet, but I'm just worried that I might have some
> problems in the future regarding the use of kerberos
> realms in my authentication.
> 
> 
> Thanks.
> 
> 
> 
> 
> 		
> ____________________________________________________
> 
> Yahoo! Sports 
> Rekindle the Rivalries. Sign up for Fantasy Football
> 
> http://football.fantasysports.yahoo.com
> 



		
__________________________________ 
Yahoo! Mail 
Stay connected, organized, and protected. Take the tour: 
http://tour.mail.yahoo.com/mailtour.html

Prev by Date: slapd does not include cn=realm in mapping kerberos entries.
Next by Date: Re: synrepl to AD
Index(es):
- Chronological
- Thread