[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authz-regexp behavior with GSSAPI
From: Dan White [dwhite@olp.net]
Sent: Sunday, August 30, 2015 10:09 AM
To: Peter Heinemann
Cc: openldap-technical@openldap.org
Subject: Re: authz-regexp behavior with GSSAPI
On 08/26/15 12:51 +0000, Peter Heinemann wrote:
I am trying to figure out different behaviors with authz-regexp in slapd.conf.
Any differences in your /etc/krb5.conf? What is your default realm? Any
differences in the libraries you're using (cyrus-sasl and kerberos)?
On 08/31/15 13:52 +0000, Peter Heinemann wrote:
Here are version details:
openldap 2.4-39
RHEL 6.5
cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
krb5-libs 1.10.3-42
It appears that cross-realm authentication is problematic. In the
following results, "success" means that the search specified by the regex
occurred and the identity was remapped. Both commands used GSSAPI (-Y for
ldapwhoami, -M for slapauth):
so:
slapauth appears to work if a realm is explicitly specified with -R (either cross-realm or within realm), but won't remap if the realm isn't specified.
ldapwhoami (and ldapsearch) works within a realm whether or not the realm is specified with -R; but won't remap if -R specifies a different realm.
There are several possibilities as to why this behavior might occur. You
might be able to change sasl-host/sasl-realm to make things work
consistently, or change your default realm in krb5.conf.
The pragmatic solution would be to create more than one authz-regexp to
match each/all cases, so that future Kerberos changes don't break your
setup.
--
Dan White