On Wed, Dec 29, 2010 at 05:40:05PM +0000, Brian Candler wrote:
However I've done some testing, and the interaction between the krb5 default realm, the olcSaslRealm and the actual realm of the request appears to be rather bizarre.
I found a hint here: http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/gssapi.php
"if for example you're using Kerberos, the Cyrus SASL library strips out the @REALM from your identity if you are in the same realm as the server"
This begs the question of what the "server's realm" actually means, and my previous tests suggest this is just the default realm from krb5.conf. The oclSaslRealm is a string which is pasted back in if the @REALM has been stripped out.
To test this properly, I had to set up an environment with cross-realm auth. The two realms are WS.NSRC.ORG and REALM3.WS.NSRC.ORG
The LDAP server has default_realm=WS.NSRC.ORG and has oclSaslRealm set to EXAMPLE.COM
(1) If the client has a ticket for inst@WS.NSRC.ORG then I get authDN="uid=inst,cd=example.com,cn=gssapi,cn=auth"
(2) If the client has a ticket for student@REALM3.WS.NSRC.ORG then I get authDN="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth"
The server logs (slapd -d 255) for these two cases are shown below.
My result for case (2) is in disagreement with the examples at http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
which suggests I should have seen
uid=student,cn=realm3.ws.nsrc.org,cn=gssapi,cn=auth
Regards,
Brian.
do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=<continuing> datalen=32 SASL Canonicalize [conn=1000]: authcid="inst" slap_sasl_getdn: conn 1000 id=inst [len=4] => ldap_dn2bv(16) <= ldap_dn2bv(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth
dnNormalize: <uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0) <= ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=inst,cn=example.com,cn=gssapi,cn=auth)=0 <<< dnNormalize: <uid=inst,cn=example.com,cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name uid=inst,cn=example.com,cn=gssapi,cn=auth to a DN <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst,cn=example.com,cn=gssapi,cn=auth" SASL proxy authorize [conn=1000]: authcid="inst@EXAMPLE.COM" authzid="inst@EXAMPLE.COM" SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/GSSAPI bind: dn="uid=inst,cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56
do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=<continuing> datalen=32 SASL Canonicalize [conn=1000]: authcid="student@REALM3.WS.NSRC.ORG" slap_sasl_getdn: conn 1000 id=student@REALM3.WS.NSRC.ORG [len=26] => ldap_dn2bv(16) <= ldap_dn2bv(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth
dnNormalize: <uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0) <= ldap_bv2dn(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth)=0 <<< dnNormalize: <uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth to a DN <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=1000]: slapAuthcDN="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth" SASL proxy authorize [conn=1000]: authcid="student@REALM3.WS.NSRC.ORG" authzid="student@REALM3.WS.NSRC.ORG" SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/GSSAPI bind: dn="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56