On Fri, Jan 07, 2011 at 09:22:01PM +0530, sarathkrishna89@gmail.com wrote:
For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue.
man slapd-config
scroll down to:
olcAuthzPolicy olcAuthzRegexp
authz-regexp uid=(.*),cn=[2]example.com,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com
If you are using multiple Kerberos realms, please note that the current documentation of auth DNs is wrong (see ITS#6757)
Proposed correction is below.
Regards,
Brian.
--- openldap/doc/guide/admin/sasl.sdf.orig 2011-01-03 15:15:55.754879001 +0530 +++ openldap/doc/guide/admin/sasl.sdf 2011-01-03 15:38:55.188208002 +0530 @@ -135,25 +135,35 @@ For the purposes of authentication and authorization, {{slapd}}(8) associates an authentication request DN of the form:
-> uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth +> uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth + +The realm is omitted by Cyrus SASL if it's equal to the default realm of the +server in {{FILE:/etc/krb5.conf}}.
Continuing our example, a user with the Kerberos principal {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
-> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=kurt,cn=gssapi,cn=auth
and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the associated DN:
-> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
-The authentication request DN can be used directly ACLs and +The authentication request DN can be used directly in ACLs and {{EX:groupOfNames}} "member" attributes, since it is of legitimate LDAP DN format. Or alternatively, the authentication DN could be mapped before use. See the section {{SECT:Mapping Authentication Identities}} for details.
+If you configure olcSaslRealm then it is always inserted as an extra +component in the authorization DN, regardless of the realm of the client. +For example, if you set olcSaslRealm to {{EX:example.com}} then you will +get: + +> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
H3: KERBEROS_V4