From: Dan White [dwhite@olp.net] Sent: Sunday, August 30, 2015 10:09 AM To: Peter Heinemann Cc: openldap-technical@openldap.org Subject: Re: authz-regexp behavior with GSSAPI
On 08/26/15 12:51 +0000, Peter Heinemann wrote:
I am trying to figure out different behaviors with authz-regexp in slapd.conf.
Any differences in your /etc/krb5.conf? What is your default realm? Any differences in the libraries you're using (cyrus-sasl and kerberos)?
On 08/31/15 13:52 +0000, Peter Heinemann wrote:
Here are version details: openldap 2.4-39 RHEL 6.5 cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15 krb5-libs 1.10.3-42
It appears that cross-realm authentication is problematic. In the following results, "success" means that the search specified by the regex occurred and the identity was remapped. Both commands used GSSAPI (-Y for ldapwhoami, -M for slapauth):
so: slapauth appears to work if a realm is explicitly specified with -R (either cross-realm or within realm), but won't remap if the realm isn't specified. ldapwhoami (and ldapsearch) works within a realm whether or not the realm is specified with -R; but won't remap if -R specifies a different realm.
There are several possibilities as to why this behavior might occur. You might be able to change sasl-host/sasl-realm to make things work consistently, or change your default realm in krb5.conf.
The pragmatic solution would be to create more than one authz-regexp to match each/all cases, so that future Kerberos changes don't break your setup.