[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd does not include cn=realm in mapping kerberos entries(pls ignore)
- To: openldap-software@OpenLDAP.org
- Subject: Re: slapd does not include cn=realm in mapping kerberos entries(pls ignore)
- From: jay alvarez <ldapb0y@yahoo.com>
- Date: Sun, 26 Jun 2005 19:10:31 -0700 (PDT)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=jsMRzlcZBrJwp/ydQjv8rDovBkWyz9oJnMqZQIJsI5+9z3ZbQ86HhQLZQGhic6mP3ab6iUpEMO689S0xx7IANEufN2PcqIQmL1QkkxPtLYnHBwV6gG4C5MfhhPoeiQgmSzrp+VRLULrrANgBoTaIK4BQ/fVRs258wlph/uyowQw= ;
hehe, please delete my previous post. I got the docs
here:
http://www.openldap.org/doc/admin22/sasl.html#Mapping
Authentication identities to LDAP entries
Sorry very much.:)
--- jay alvarez <ldapb0y@yahoo.com> wrote:
> Hi,
> Upon reading administrator's guide it says that:
>
> "For the purposes of authentication and
> authorization,
> slapd(8) associates a non-mapped authentication
> request DN of the form:
>
>
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
>
> Continuing our example, a user with the Kerberos
> principal kurt@EXAMPLE.COM would have the associated
> DN:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth"
>
>
> But looking at my debug.log:
>
> do_sasl_bind: dn () mech GSSAPI
> Jun 27 09:39:08 gaheris slapd[737]: SASL
> Canonicalize
> [conn=2]: authcid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: slap_sasl_getdn:
> u:id converted to uid=matato,cn=GSSAPI,cn=auth
> Jun 27 09:39:08 gaheris slapd[737]: >>> dnNormalize:
> <uid=matato,cn=GSSAPI,cn=auth>
> Jun 27 09:39:08 gaheris slapd[737]: <<< dnNormalize:
> <uid=matato,cn=gssapi,cn=auth>
> Jun 27 09:39:08 gaheris slapd[737]: ==>slap_sasl2dn:
> converting SASL name uid=matato,cn=gssapi,cn=auth to
> a
> DN
> Jun 27 09:39:08 gaheris slapd[737]: SASL proxy
> authorize [conn=2]: authcid="matato"
> authzid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: conn=2 op=3 BIND
> authcid="matato"
> Jun 27 09:39:08 gaheris slapd[737]: SASL Authorize
> [conn=2]: proxy authorization allowed
> Jun 27 09:39:08 gaheris slapd[737]: send_ldap_sasl:
> dn="uid=matato,cn=gssapi,cn=auth" mech=GSSAPI ssf=56
> SASL/GSSAPI bind: dn="uid=matato,cn=gssapi,cn=auth"
> ssf=56
>
> My kerberos principal is matato@CAMLANN.PREGI.NET,
> so
> it should map as:
>
> uid=matato,cn=camlann.pregi.net,cn=gssapi,cn=auth
>
> Any idea why it didn't include the 'cn=realm'?
> I haven't used any access control based on sasl bind
> yet, but I'm just worried that I might have some
> problems in the future regarding the use of kerberos
> realms in my authentication.
>
>
> Thanks.
>
>
>
>
>
> ____________________________________________________
>
> Yahoo! Sports
> Rekindle the Rivalries. Sign up for Fantasy Football
>
> http://football.fantasysports.yahoo.com
>
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html