Hi all,
I want to rewrite the gssapi user name after authentication using olcAuthzRegex, but I want to rewrite the krbPrincipalName. If a principal is getting a ticket and then test the authentication with "ldapwhoami" I see: uid=my-principal,cn=gssapi,cn=auth
So now I want to rewrite the uid to: krbPrincipalName=my-principal@REALM,cn=REALM,cn=kerberos,dc=example,dc=net the real object name.
My first try was olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net
That is working. Now "ldapwhoami" is showing krbPrincipalName=my-principal@REALM,cn=realm,cn=kerbers,dc=example,dc=net
then I changed olcAuthzRegexp to uid=(.+),cn=gssapi,cn=auth ldap:///cn=kerberos,dc=example,dc=net??sub?(krbPrincipalName=$1@REALM)
I also tried: (krbPrincipalName=$1) (krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net)
but non of the filters is working. How do I have to configure the filter to rewrite the krbPrincipalName with in the search?
Stefan
On Tue, Apr 08, 2025 at 02:35:58PM +0200, Stefan Kania wrote:
Hi all,
I want to rewrite the gssapi user name after authentication using olcAuthzRegex, but I want to rewrite the krbPrincipalName. If a principal is getting a ticket and then test the authentication with "ldapwhoami" I see: uid=my-principal,cn=gssapi,cn=auth
So now I want to rewrite the uid to: krbPrincipalName=my-principal@REALM,cn=REALM,cn=kerberos,dc=example,dc=net the real object name.
My first try was olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net
That is working. Now "ldapwhoami" is showing krbPrincipalName=my-principal@REALM,cn=realm,cn=kerbers,dc=example,dc=net
then I changed olcAuthzRegexp to uid=(.+),cn=gssapi,cn=auth ldap:///cn=kerberos,dc=example,dc=net??sub?(krbPrincipalName=$1@REALM)
I also tried: (krbPrincipalName=$1) (krbPrincipalName=$1@REALM,cn=REALM,cn=kerberos,dc=example,dc=net)
but non of the filters is working. How do I have to configure the filter to rewrite the krbPrincipalName with in the search?
Hi Stefan, hard to tell but it might be down to ACLs, if you want to use LDAP URIs for user selection, there is an internal search that is run and it needs `auth` privileges to run. You probably need to run with acl logs enabled and check that your ACLs are not standing in the way of that.
Regards,
Hi Ondrej
Am 14.04.25 um 18:19 schrieb Ondřej Kuzník:
Hi Stefan, hard to tell but it might be down to ACLs, if you want to use LDAP URIs for user selection, there is an internal search that is run and it needs `auth` privileges to run. You probably need to run with acl logs enabled and check that your ACLs are not standing in the way of that.
Again, you pushed me in the right direction. We already set the ACL for "uid" and "entry" to auth, but in this case we need KerberosPrincipalName in the same ACL. Reading your answer pushes me in the right direction :-)
Thank you
Stefan
openldap-technical@openldap.org
-
Ondřej Kuzník -
Stefan Kania