[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap, kerberos and authorization by group membership



in my reading of the admin guide (section 15.2.5 - .7), mapping of a "username" to a DN is a common configuration, and allows for other functionality.  i am trying to use the below Authz RegExp to do the mapping:

olcAuthzRegexp: {0}uid=([^,]+),cn=bpk2.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com

i am no regex guru, so i dont know if the above is appropriate.  if i compare the above to the admin guide, i notice that mine is uid=([^,]+), whereas the docs show uid=([^,]*).  the + vs. the * might be an issue.  can that be confirmed?

On Sat, Mar 16, 2013 at 2:27 PM, Dan White <dwhite@olp.net> wrote:
In my experience, authorization is not a standardized concept, even among
servers that support sasl, ldap, and/or kerberos authentication.

In general, approaches which are most likely to bear fruit:

unix group membership
=====================

Install an ldap nss module on the server, and add objectClass posixGroup to
your group entries. Specify "member: <user_id>" for each member of the
group. Find out if a given server (such as squid) supports such authorization,
either by way of a getgrent system call (such as with openssh), or via some
pam group module during authentication.

RADIUS (freeradius ldap backend)
================================

If the server supports radius authentication, then you have flexibility in
granting authentication based on an ldap attribute or ldap group membership,
by way of it's ldap backend module.

pam ldap module
===============

If the server supports pam authentication, then use an ldap pam module
(nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on
an ldap attribute or ldap group membership.

I'm not aware of a way to grant authorization solely by using kerberos.

--
Dan White