--On Tuesday, January 23, 2007 4:33 PM -0500 Kenneth Rogers kenneth.rogers@gmail.com wrote:
Hi,
After a successful GSSAPI binding, is there an easy way to get the DN for that user from the server?
Well, are you mapping the users to an entry in the server? If yes, then use that DN.
If not, then use the SASL authz ID. The logs are generally pretty clear at loglevel 256 what DN is being used.
For example:
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND authcid="webauth/proxy.stanford.edu@stanford.edu" authzid="webauth/proxy.stanford.edu@stanford.edu"
So here's the authz DN (webauth/proxy.stanford.edu@stanford.edu).
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND dn="cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu" mech=GSSAPI ssf=56
And here's the DN of what I map it to:
cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
In case you haven't played with mappings, here's how the mapping is done:
sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/$1@stanford.edu
And this is what the internal entry looks like:
ldap1:~> lsearch cn=proxy dn: cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu objectClass: applicationProcess objectClass: suApplication objectClass: krb5Principal cn: proxy description: webauth access for proxy.stanford.edu krb5PrincipalName: webauth/proxy.stanford.edu@stanford.edu
Just to give you some thoughts to ponder. ;)
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html