Hi Chavez, There are two stages involved while logging in (assuming that you are using a standard Linux system with PAM and NSS).
1. Authentication (vai PAM --------> Kerberos / AD / LDAP / shadow file etc.).
2. Authorization and fetching user information (via NSS -------> LDAP / passwd file etc.).
So when you try to login using the id "joe_montana", first joe_montana and his credentials are checked using PAM -> Kerberos. If this works then his details are tried to fetch from NSS -> LDAP for the dn uid=joe_montana,ou=People,dc=example,dc=com.
Now when you use the authz-regexp expression I had given you in one of my previous mails and try to login using "joe_montana", first joe_montana and his credentails are checked using PAM -> Kerberos and then his details are fetched from NSS->LDAP for the dn uid=jmontana,ou=People,dc=example,dc=com.
Setting userPassword to {SASL}... only makes sense if you are trying to authenticate using PAM->LDAP. So if you would like to login using the id "jmontana" and have your crendentials checked with those of joe_montana in Kerberos (which is what you actually seem to want), you need not use any authz-regerxp expression in slapd.conf but just set the userPassword attribute of uid=jmontana,ou=People,dc=example,dc=com to {SASL}joe_montana@EXAMPLE.COM. It should be noted that while your crednetials will be validated, this will not return the user a TGT which is used for password less authentication to other services (the main reason for Kerberos being used). If you would like to have a ticket returned by the LDAP server, then you might be interested in exploring the "contrib/slapd-modules/passwd/kerberos.c" module using which I "think" might return a TGT (I tried this module once but wasn't able to even get it working).
Digressing a bit, the value of userPassword which you see is just base64 encoded (on running command slapcat you will see that userPassword is followed by "::" rather than ":" which indicates that the value is base64 encoded). To decode it take the value and run the command
# echo "e1NBU0x9am9lX21vbnRhbmFARVhBTVBMRS5DT00K" | openssl base64 -d".
Similary for encoding a string run the command
# echo "{SASL}joe_montana@EXAMPLE.COM" | openssl base64 -e
Coming back to addressing your issue, apart from the above solution, an alternative would be to map the unix username to kerberos username within PAM (http://docs.hp.com/en/B8724-90044/ch08s02.html). But with the PAM version which is shipped with Redhat, I am not sure if such a pam module exists.
Finally, "--enable-spasswd" enables (Cyrus) SASL password verification. I am not sure how you can check it. One possible way is to look at the source rpm which was used for compiling slapd and the configuration options used.
At this point, I am unable to think of any other possible solutions. I hope the above information is helpful.
Regards, Rahul.
Chavez, James R. wrote:
Rahul, Sorry I am not clear in my explanations. What I am trying to achieve is to login to my linux and solaris boxes from the console or through a remote ssh session using Active directory or kerberos credentials and have that effectively map to my users that exist in the LDAP directory. And this works with a catch..
If the username in LDAP (joe_montana) matches the kerberos principal name (joe_montana) I have no issue.. I login using the kerberos username and password and the uid, gid, for that user in LDAP is correct when issuing the id command. So effectively it uses the kerberos credentials and logs me in as that ldap user. Pam-krb is used for authentication and things seem beautiful.
However in this case, I have user's with the 8 character unix naming convention(migrated from NIS). I am trying to find the correct way to map that username to the kerberos username. There has got to be a way!! Actually reading over the openldap Admin guide, I see that it mentions using passthrough authentication to an Active directory server. Seems this is done by modifying the userPassword attribute of the ldap dn. As I understand from reading the guide, for my user jmontana the entry should look something like this..
dn: cn=jmontana,ou-People,dc=example,dc=com userPassword: {SASL}joe_montana@EXAMPLE.COM
However all the userPassword attributes for the users are encrypted. I delete the dn's userPassword attribute first off. But when I attempt to add the userPassword attribute with the ldif below I still get an encrypted password in the userPassword attribute. How can I get the entry to show {SASL}joe_montana@EXAMPLE.COM? Is there something in slapd.conf or ldap.conf I need to modify? I may be barking up the wrong tree but it sounds like what I need.
dn: uid=jmontana,ou=People,dc=example,dc=com changetype: modify add: userPassword userPassword: {SASL}joe_montana@EXAMPLE.COM
Also the Openldap Admin guide mentions that "the server must be built with the --enable-spasswd configuration option to enable pass-through authentication." I am not sure how to check if this is the case. This is a RHEL5 box with openldap-servers-2.3.27-8 rpm. I did not install from source, I used Red Hat's precompiled RPM. Having to install from source is a whole other can of worms. But I will do what I have to.
Thank you much James
- Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL (Rahul Amaram)
Message: 1 Date: Sun, 17 Aug 2008 11:30:25 +0530 From: Rahul Amaramrahul@synovel.com Subject: Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL To: openldap-technical@openldap.org Message-ID:48A7BE79.2080704@synovel.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
This is the flow of events.
- First GSSAPI (Kerberos) authentication takes place using the id
"joe_montana".
- Then LDAP gives this the DN
"uid=joe_montana,cn=REALM,cn=gssapi,cn=auth".
- Using authz-regexp, we can map this to another DN such as
"uid=jomontana,ou=People,dc=company,dc=com" which I believe makes sense only to LDAP.
Getting back to your query, could you precisely define what is it that you are trying to achieve? If you could give a clear step-to-step example of the workflow, then I might be able to be of some assistance.
Regards, Rahul.
Chavez, James R. wrote:
Rahul, Thank you again..I will try this expression you have provided. Am I going about this in the correct way? What I want is to login through ssh or even the local box and be authenticated by the kerberos
credentials. But I want the effective uid or account to be that of the
ldap user in the openldap directory. I want my kerberos credentials to authorize my ldap login even though the account names do not match. Is it possible with this authz-regexp? Or is this simply for services. Sorry for all the questions.
Thanks James
Message: 1 Date: Wed, 13 Aug 2008 15:08:43 +0530 From: Rahul Amaramrahul@synovel.com Subject: Re: Subject: Re: Help with authz-regexp mapping kerberos identity to dn --RAHUL Cc: openldap-technical@openldap.org Message-ID:48A2ABA3.9090900@synovel.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Chavez, Try this expression. It should work.
authz-regexp uid=(.).*_([^,]*),cn=company.com,cn=gssapi,cn=auth uid=$1$2,ou=People,dc=company,dc=com
The "sasl-realm" parameter is set in /etc/slapd/slapd.conf (main slapd.conf file). You might also be interested in sasl-host (for hard-coding the host sasl fqdn name to be used while fetching ldap/<fqdn>@<REALM> password from the keytab file) and sasl-secprops parameters.
Regards, Rahul.
Chavez, James R. wrote:
Rahul, My friend finally a response. Thank you for the input I had also read that link you provided, it was
somewhat helpful. If the usernames were identical that would work great I believe. However the source name is coming in as joe_montana and I need it to map to jmontana. So I need only the first character of the first name and everything after the underscore (last name). I am looking for the expression that
would give me that. I am not too familiar with the expressions syntax
or how to manipulate them. I see there is an option to search ldap using ldap:///ou=people,dc=example,dc=com??one?(uid=$1), maybe I should look into that. Do you have any suggestions or source for reading on authz-regexp? I have been looking. If it was shell scripting I could manage another way.
When you say the SASL Realm would that go in the main slapd.conf or the /usr/lib/sasl2/slapd.conf?
I am indeed using GSSAPI for the SASL-auth-mechanism. I am getting close,just gotta get past this. :)
Thank you again. James
CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.