[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: getting DN from client with GSSAPI bind?
--On Tuesday, January 23, 2007 4:33 PM -0500 Kenneth Rogers
<kenneth.rogers@gmail.com> wrote:
Hi,
After a successful GSSAPI binding, is there an easy way to get the DN
for that user from the server?
Well, are you mapping the users to an entry in the server? If yes, then use
that DN.
If not, then use the SASL authz ID. The logs are generally pretty clear at
loglevel 256 what DN is being used.
For example:
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND
authcid="webauth/proxy.stanford.edu@stanford.edu"
authzid="webauth/proxy.stanford.edu@stanford.edu"
So here's the authz DN (webauth/proxy.stanford.edu@stanford.edu).
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND
dn="cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu" mech=GSSAPI
ssf=56
And here's the DN of what I map it to:
cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
In case you haven't played with mappings, here's how the mapping is done:
sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/$1@stanford.edu
And this is what the internal entry looks like:
ldap1:~> lsearch cn=proxy
dn: cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
objectClass: applicationProcess
objectClass: suApplication
objectClass: krb5Principal
cn: proxy
description: webauth access for proxy.stanford.edu
krb5PrincipalName: webauth/proxy.stanford.edu@stanford.edu
Just to give you some thoughts to ponder. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html