[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
openldap and kerberos auth-to-local rules
Hello list.
I successfuly configured OpenLDAP for kerberos autentication, and user
mapping:
authz-regexp "uid=([^,]+),cn=gssapi,cn=auth"
"ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
However, mapping doesn't work when autenticating with a user from a
different realm than the one from the server. The logs show the realm is
not stripped from username, as it should be:
Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR"
Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI
sasl_ssf=56 ssf=56
authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a
classic problem, and kerberos provides mapping rules for users of
external domains, such as described here:
http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
I used those rules succesfully with mod_krb, for instance. However,
openldap seems to ignore them. I had to change the previous regexp to:
authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth"
"ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
Is this intentional ?
--
BOFH excuse #58:
high pressure system failure