Hello list.
I successfuly configured OpenLDAP for kerberos autentication, and user mapping: authz-regexp "uid=([^,]+),cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
However, mapping doesn't work when autenticating with a user from a different realm than the one from the server. The logs show the realm is not stripped from username, as it should be: Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR" Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a classic problem, and kerberos provides mapping rules for users of external domains, such as described here: http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
I used those rules succesfully with mod_krb, for instance. However, openldap seems to ignore them. I had to change the previous regexp to: authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
Is this intentional ?
Guillaume Rousse wrote:
Hello list.
I successfuly configured OpenLDAP for kerberos autentication, and user mapping: authz-regexp "uid=([^,]+),cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
However, mapping doesn't work when autenticating with a user from a different realm than the one from the server. The logs show the realm is not stripped from username, as it should be: Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR" Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a classic problem, and kerberos provides mapping rules for users of external domains, such as described here: http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
I used those rules succesfully with mod_krb, for instance. However, openldap seems to ignore them. I had to change the previous regexp to: authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth" "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
Is this intentional ?
The name you see here is the name that Cyrus SASL gave to slapd. To answer the question "is this intentional" you will have to ask the authors of the Cyrus SASL/GSSAPI plugin.
openldap-software@openldap.org
-
Guillaume Rousse -
Howard Chu