[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Handling slapd.d in OpenLDAP and Kerberos

To: "sarathkrishna89@gmail.com" <sarathkrishna89@gmail.com>
Subject: Re: Handling slapd.d in OpenLDAP and Kerberos
From: Brian Candler <B.Candler@pobox.com>
Date: Sun, 9 Jan 2011 15:13:56 +0530
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=322kaC6tAAsE2hyAOXB/mNWFoZ4=; b=gIaOpUu R1Z+q9aQ/7SXqb44qyY03dUgiy0hgX5hWo0mWmTek4mmbZ70oNOf2escNCFP3MDy CHSaMcNrWon8VqHHfaiCMAONfFnKErYh0L361Wnhv2NOkuJtpOdX3z0ieZvK/4Cn JJxKAKjTMRUvhUShNdQoEUDvlh1NafWyokcc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=HoaBS7XQzL/QPt49yCDegHD16sdMi8tpk leaRbLz1Czk3ABbvRnLp9GGsvKgMTgZmJ2YbiT21rKeGQvE9jlMTiL69aXXRrJ0D iVLOU/8xA1Ff8N0XI1cjxnyRdssSFagbhLMA50HHamzg2y7lvIUVgL4DBdkaqdbi sUdA6cJUAk=
In-reply-to: <AANLkTimuLyjAKuf0hzEMBX1ys+eXNb4zHXckYtYmr7RZ@mail.gmail.com>
References: <AANLkTimuLyjAKuf0hzEMBX1ys+eXNb4zHXckYtYmr7RZ@mail.gmail.com>
User-agent: Mutt/1.5.20 (2009-06-14)

On Fri, Jan 07, 2011 at 09:22:01PM +0530, sarathkrishna89@gmail.com wrote:
>    For authenticating via OpenLDAP, the principles needs to be rewritten
>    (using authz-policy and authz-regexp). We know how to do
>    that in older version of OpenLDAP which had (slapd.conf) but don't know
>    how to do the same in new OpenLDAP which has slapd.d directory instead.
>    The manuals also doesn't say anything on this issue.

man slapd-config

scroll down to:

olcAuthzPolicy
olcAuthzRegexp

>    authz-regexp
>         uid=(.*),cn=[2]example.com,cn=GSSAPI,cn=auth
>         uid=$1,ou=people,dc=example,dc=com

If you are using multiple Kerberos realms, please note that the current
documentation of auth DNs is wrong (see ITS#6757)

Proposed correction is below.

Regards,

Brian.

--- openldap/doc/guide/admin/sasl.sdf.orig	2011-01-03 15:15:55.754879001 +0530
+++ openldap/doc/guide/admin/sasl.sdf	2011-01-03 15:38:55.188208002 +0530
@@ -135,25 +135,35 @@
 For the purposes of authentication and authorization, {{slapd}}(8)
 associates an authentication request DN of the form:
 
->	uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
+>	uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
+
+The realm is omitted by Cyrus SASL if it's equal to the default realm of the
+server in {{FILE:/etc/krb5.conf}}.
 
 Continuing our example, a user with the Kerberos principal
 {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
 
->	uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>	uid=kurt,cn=gssapi,cn=auth
 
 and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
 associated DN:
 
->	uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
+>	uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
 
 
-The authentication request DN can be used directly ACLs and
+The authentication request DN can be used directly in ACLs and
 {{EX:groupOfNames}} "member" attributes, since it is of legitimate
 LDAP DN format.  Or alternatively, the authentication DN could be
 mapped before use.  See the section {{SECT:Mapping Authentication
 Identities}} for details.
 
+If you configure olcSaslRealm then it is always inserted as an extra
+component in the authorization DN, regardless of the realm of the client.
+For example, if you set olcSaslRealm to {{EX:example.com}} then you will
+get:
+
+>	uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>	uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
 
 H3: KERBEROS_V4

References:
- Handling slapd.d in OpenLDAP and Kerberos
  - From: "sarathkrishna89@gmail.com" <sarathkrishna89@gmail.com>

Prev by Date: Re: ITS#6607 to be fixed in 2.4.24?
Next by Date: Re: RE24 testing call #1 (OL 2.4.24)
Index(es):
- Chronological
- Thread