Rahul, My friend finally a response. Thank you for the input I had also read that link you provided, it was somewhat helpful. If the usernames were identical that would work great I believe. However the source name is coming in as joe_montana and I need it to map to jmontana. So I need only the first character of the first name and everything after the underscore (last name). I am looking for the expression that would give me that. I am not too familiar with the expressions syntax or how to manipulate them. I see there is an option to search ldap using ldap:///ou=people,dc=example,dc=com??one?(uid=$1), maybe I should look into that. Do you have any suggestions or source for reading on authz-regexp? I have been looking. If it was shell scripting I could manage another way.
When you say the SASL Realm would that go in the main slapd.conf or the /usr/lib/sasl2/slapd.conf?
I am indeed using GSSAPI for the SASL-auth-mechanism. I am getting close,just gotta get past this. :)
Thank you again. James
------------------------------
Message: 2 Date: Mon, 11 Aug 2008 17:54:02 +0530 From: Rahul Amaram rahul@synovel.com Subject: Re: Help with authz-regexp mapping kerberos identity to dn ....SASL To: openldap-technical@openldap.org Message-ID: 48A02F62.1000305@synovel.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Chavez, This is the authz-regexp string I have used in slapd.conf:
authz-regexp uid=([^,]*),cn=synovel.com,cn=gssapi,cn=auth uid=$1,ou=People,dc=synovel,dc=com
This works if the SASL auth mechanism is gssapi. I have also hard-coded the SASL Realm with the below config option:
sasl-realm SYNOVEL.COM
If it uses the default realm (i.e. sasl-realm option is missing) then the string would probably be:
authz-regexp uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=People,dc=synovel,dc=com
Hope this is of some assistance. For furthur information, kindly read http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%2 0Identities .
Regards, Rahul.
Chavez, James R. wrote:
Hello all, My plan is to use Kerberos and LDAP as a replacement for NIS. My issue is that I need my kerberos credentials to map to a user in
LDAP
so I can avoid permission issues when logging in with kerberos creds. All the perms are based on the UNIX/LDAP users and groups. Thing is
the
user id's are different between kerberos and LDAP. The kerberos names consist of firstname_lastname@REALM. The ldap
entries
are in the format of standard Unix user names or first letter of first name and up to 7 characters of the last name (jmontana). I migrated
the
LDAP entries from my existing NIS maps. Now I understand that I can use SASL and authz-regexp in slapd.conf to map these id's. Please correct me if I am wrong.
I added all the corresponding "krbName: first_last@REALM" to the
users
when I added them to the LDAP directory. For example for user Joe Montana..His ldap dn is "dn: uid=jmontana,ou=People,dc=test,dc=example,dc=com" His uid is "uid: jmontana And his Krb name is ""krbName: joe_montana@TEST.EXAMPLE.COM"
I think all the data is there to get a mapping I just am unsure of the auth-regexp strings I need to add to the slapd.conf file. Does anyone out there have any experience with this and better yet provide the string or example of what strings I can use? I have searched the net on how to authenticate with kerberos and effictively login with a local id but have been unsuccessful in my search. Appreciate any help.
Thank You James
CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
Hi Chavez, Try this expression. It should work.
authz-regexp uid=(.).*_([^,]*),cn=company.com,cn=gssapi,cn=auth uid=$1$2,ou=People,dc=company,dc=com
The "sasl-realm" parameter is set in /etc/slapd/slapd.conf (main slapd.conf file). You might also be interested in sasl-host (for hard-coding the host sasl fqdn name to be used while fetching ldap/<fqdn>@<REALM> password from the keytab file) and sasl-secprops parameters.
Regards, Rahul.
Chavez, James R. wrote:
Rahul, My friend finally a response. Thank you for the input I had also read that link you provided, it was somewhat helpful. If the usernames were identical that would work great I believe. However the source name is coming in as joe_montana and I need it to map to jmontana. So I need only the first character of the first name and everything after the underscore (last name). I am looking for the expression that would give me that. I am not too familiar with the expressions syntax or how to manipulate them. I see there is an option to search ldap using ldap:///ou=people,dc=example,dc=com??one?(uid=$1), maybe I should look into that. Do you have any suggestions or source for reading on authz-regexp? I have been looking. If it was shell scripting I could manage another way.
When you say the SASL Realm would that go in the main slapd.conf or the /usr/lib/sasl2/slapd.conf?
I am indeed using GSSAPI for the SASL-auth-mechanism. I am getting close,just gotta get past this. :)
Thank you again. James
Message: 2 Date: Mon, 11 Aug 2008 17:54:02 +0530 From: Rahul Amaram rahul@synovel.com Subject: Re: Help with authz-regexp mapping kerberos identity to dn ....SASL To: openldap-technical@openldap.org Message-ID: 48A02F62.1000305@synovel.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Chavez, This is the authz-regexp string I have used in slapd.conf:
authz-regexp uid=([^,]*),cn=synovel.com,cn=gssapi,cn=auth uid=$1,ou=People,dc=synovel,dc=com
This works if the SASL auth mechanism is gssapi. I have also hard-coded the SASL Realm with the below config option:
sasl-realm SYNOVEL.COM
If it uses the default realm (i.e. sasl-realm option is missing) then the string would probably be:
authz-regexp uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=People,dc=synovel,dc=com
Hope this is of some assistance. For furthur information, kindly read http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%2 0Identities .
Regards, Rahul.
Chavez, James R. wrote:
Hello all, My plan is to use Kerberos and LDAP as a replacement for NIS. My issue is that I need my kerberos credentials to map to a user in
LDAP
so I can avoid permission issues when logging in with kerberos creds. All the perms are based on the UNIX/LDAP users and groups. Thing is
the
user id's are different between kerberos and LDAP. The kerberos names consist of firstname_lastname@REALM. The ldap
entries
are in the format of standard Unix user names or first letter of first name and up to 7 characters of the last name (jmontana). I migrated
the
LDAP entries from my existing NIS maps. Now I understand that I can use SASL and authz-regexp in slapd.conf to map these id's. Please correct me if I am wrong.
I added all the corresponding "krbName: first_last@REALM" to the
users
when I added them to the LDAP directory. For example for user Joe Montana..His ldap dn is "dn: uid=jmontana,ou=People,dc=test,dc=example,dc=com" His uid is "uid: jmontana And his Krb name is ""krbName: joe_montana@TEST.EXAMPLE.COM"
I think all the data is there to get a mapping I just am unsure of the auth-regexp strings I need to add to the slapd.conf file. Does anyone out there have any experience with this and better yet provide the string or example of what strings I can use? I have searched the net on how to authenticate with kerberos and effictively login with a local id but have been unsuccessful in my search. Appreciate any help.
Thank You James
CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for
use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL
IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
openldap-technical@openldap.org
-
Chavez, James R. -
Rahul Amaram