ldapwhoami translate sasl-name to dn - openldap-technical

20 Dec 2019


      Hello,
I try to do the authentication in LDAP via Kerberos. The
Kerberos-Database is in LDAP, no problem, I can login to the system as a
normal user but when I do a "ldapwhomami" I get the following output:
-----------------
u1-verw@ldapserver:~$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: u1-verw@EXAMPLE.NET
SASL SSF: 256
SASL data security layer installed.
dn:uid=u1-verw,cn=gssapi,cn=auth
-----------------
I would like to get the original DN from the user not the
dn:*,cn=gssapi,cn=auth. So I put into my configuration:
-----------------
olcAuthzRegexp: {0}uid=(.+),cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?(uid=$1)
-----------------
But still the same. The log-output:
-----------------
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 fd=37 ACCEPT from
IP=192.168.56.60:59276 (IP=0.0.0.0:636)
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 fd=37 TLS established
tls_ssf=256 ssf=256
Dec 20 14:42:34 ldapserver ldapwhoami[1914]: GSSAPI client step 1
Dec 20 14:42:34 ldapserver ldapwhoami[1914]: GSSAPI client step 1
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=0 BIND dn="" method=163
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=0 RESULT tag=97
err=14 text=SASL(0): successful result:
Dec 20 14:42:34 ldapserver ldapwhoami[1914]: GSSAPI client step 1
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=1 BIND dn="" method=163
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=1 RESULT tag=97
err=14 text=SASL(0): successful result:
Dec 20 14:42:34 ldapserver ldapwhoami[1914]: GSSAPI client step 2
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=2 BIND dn="" method=163
Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: auth access to
"dc=example,dc=net" "entry" requested
Dec 20 14:42:34 ldapserver slapd[493]: => dn: [1]
Dec 20 14:42:34 ldapserver slapd[493]: => dn: [2] cn=subschema
Dec 20 14:42:34 ldapserver slapd[493]: => dn: [3] dc=example,dc=net
Dec 20 14:42:34 ldapserver slapd[493]: => acl_get: [3] matched
Dec 20 14:42:34 ldapserver slapd[493]: => acl_get: [3] attr entry
Dec 20 14:42:34 ldapserver slapd[493]: => acl_mask: access to entry
"dc=example,dc=net", attr "entry" requested
Dec 20 14:42:34 ldapserver slapd[493]: => acl_mask: to all values by "",
(=0)
Dec 20 14:42:34 ldapserver slapd[493]: <= check a_dn_pat: users
Dec 20 14:42:34 ldapserver slapd[493]: <= check a_dn_pat: *
Dec 20 14:42:34 ldapserver slapd[493]: <= acl_mask: [2] applying
none(=0) (stop)
Dec 20 14:42:34 ldapserver slapd[493]: <= acl_mask: [2] mask: none(=0)
Dec 20 14:42:34 ldapserver slapd[493]: => slap_access_allowed: auth
access denied by none(=0)
Dec 20 14:42:34 ldapserver slapd[493]: => access_allowed: no more rules
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=2 BIND
authcid="u1-verw" authzid="u1-verw"
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=2 BIND
dn="uid=u1-verw,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=256 ssf=256
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=2 RESULT tag=97
err=0 text=
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=3 WHOAMI
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=3 RESULT oid= err=0
text=
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 op=4 UNBIND
Dec 20 14:42:34 ldapserver slapd[493]: conn=1082 fd=37 closed
Dec 20 14:42:34 ldapserver ldapwhoami[1914]: DIGEST-MD5 common mech free
-----------------
The output is with log-level "acl".
When I add the rule:
-----------------
olcAccess: {1}to *  by * read
-----------------
ldapwhoami is working like I expected it:
-----------------
u1-verw@ldapserver:~$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: u1-verw@EXAMPLE.NET
SASL SSF: 256
SASL data security layer installed.
dn:cn=u1 verw,ou=users,ou=verwaltung,ou=firma,dc=example,dc=net
-----------------
The log is showing:
-----------------
Dec 20 14:46:48 ldapserver slapd[493]: conn=1086 fd=37 ACCEPT from
IP=192.168.56.60:59280 (IP=0.0.0.0:636)
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 fd=37 TLS established
tls_ssf=256 ssf=256
Dec 20 14:46:49 ldapserver ldapwhoami[1941]: GSSAPI client step 1
Dec 20 14:46:49 ldapserver ldapwhoami[1941]: GSSAPI client step 1
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=0 BIND dn="" method=163
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=0 RESULT tag=97
err=14 text=SASL(0): successful result:
Dec 20 14:46:49 ldapserver ldapwhoami[1941]: GSSAPI client step 1
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=1 BIND dn="" method=163
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=1 RESULT tag=97
err=14 text=SASL(0): successful result:
Dec 20 14:46:49 ldapserver ldapwhoami[1941]: GSSAPI client step 2
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=2 BIND dn="" method=163
Dec 20 14:46:49 ldapserver slapd[493]: => access_allowed: auth access to
"dc=example,dc=net" "entry" requested
Dec 20 14:46:49 ldapserver slapd[493]: => dn: [1]
Dec 20 14:46:49 ldapserver slapd[493]: => acl_get: [2] attr entry
Dec 20 14:46:49 ldapserver slapd[493]: => acl_mask: access to entry
"dc=example,dc=net", attr "entry" requested
Dec 20 14:46:49 ldapserver slapd[493]: => acl_mask: to all values by "",
(=0)
Dec 20 14:46:49 ldapserver slapd[493]: <= check a_dn_pat: *
Dec 20 14:46:49 ldapserver slapd[493]: <= acl_mask: [1] applying
read(=rscxd) (stop)
Dec 20 14:46:49 ldapserver slapd[493]: <= acl_mask: [1] mask: read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: => slap_access_allowed: auth
access granted by read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: => access_allowed: auth access
granted by read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: => access_allowed: auth access to
"cn=u1 Verw,ou=users,ou=Verwaltung,ou=firma,dc=example,dc=net" "uid"
requested
Dec 20 14:46:49 ldapserver slapd[493]: => dn: [1]
Dec 20 14:46:49 ldapserver slapd[493]: => acl_get: [2] attr uid
Dec 20 14:46:49 ldapserver slapd[493]: => acl_mask: access to entry
"cn=u1 Verw,ou=users,ou=Verwaltung,ou=firma,dc=example,dc=net", attr
"uid" requested
Dec 20 14:46:49 ldapserver slapd[493]: => acl_mask: to value by "", (=0)
Dec 20 14:46:49 ldapserver slapd[493]: <= check a_dn_pat: *
Dec 20 14:46:49 ldapserver slapd[493]: <= acl_mask: [1] applying
read(=rscxd) (stop)
Dec 20 14:46:49 ldapserver slapd[493]: <= acl_mask: [1] mask: read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: => slap_access_allowed: auth
access granted by read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: => access_allowed: auth access
granted by read(=rscxd)
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=2 BIND
authcid="u1-verw" authzid="u1-verw"
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=2 BIND dn="cn=u1
verw,ou=users,ou=verwaltung,ou=firma,dc=example,dc=net" mech=GSSAPI
sasl_ssf=256 ssf=256
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=2 RESULT tag=97
err=0 text=
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=3 WHOAMI
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=3 RESULT oid= err=0
text=
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 op=4 UNBIND
Dec 20 14:46:49 ldapserver slapd[493]: conn=1086 fd=37 closed
Dec 20 14:46:49 ldapserver ldapwhoami[1941]: DIGEST-MD5 common mech free
-----------------
So it must have something to with ACLs. I can't figure out where to set
the permission to get everything working without opening my ldap for
everyone. I tried a lot:
-----------------
  by dn.regex=authzid="(.+)" read
or
  by dn.regex=authcid="(.+)" read
or
  by dn.regex=uid=(.+),cn=gssapi,cn=auth read
-----------------
Non of the above is working.
Any hint?
Stefan
l