i am trying to get kerberos id <--> ldap object mapping down for dovecot, and seem to have hit a wall.
i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com@BPK2.COM id. when i run ldapwhoami i get:
SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com
the olcAuthzRegexp i am trying to use is not matching and the mapping falls through to the regular user mappings. i have tried all the permutations i can thing of in the RegEx, but cannot get the match to occur.
as a reference, i looked at the matching i do for the computer accounts, and there is nothing obviously wrong.
olcAuthzRegexp attempts: {2}uid=imap/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=bpk2.com,cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=gssapi,cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
{2}uid=imap/(.*),cn=auth uid=mda,ou=processUsers,ou=Users,dc=bpk2,dc=com
klist output: Ticket cache: KEYRING:persistent:0:0 Default principal: imap/test.bpk2.com@BPK2.COM
Valid starting Expires Service principal 05/06/2015 11:42:08 05/07/2015 11:40:16 ldap/server2.bpk2.com@BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 ldap/server1.bpk2.com@BPK2.COM renew until 05/13/2015 11:40:16 05/06/2015 11:40:16 05/07/2015 11:40:16 krbtgt/BPK2.COM@BPK2.COM renew until 05/13/2015 11:40:16
how do i find what i am doing wrong? note the below olcAuthzRegexp works to map hosts to computer accounts:
{0}uid=host/(.*).bpk2.com,cn=bpk2.com,cn=gssapi,cn=auth cn=$1,ou=Computers,dc=bpk2,dc=com
thanks,
brendan
--On May 6, 2015 at 11:55:13 AM -0400 Brendan Kearney bpk678@gmail.com wrote:
i am trying to get kerberos id <--> ldap object mapping down for dovecot, and seem to have hit a wall.
i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com@BPK2.COM id. when i run ldapwhoami i get:
SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com
What do the OpenLDAP logs show the binding ID to be?
--Quanah
Will have to check. Right now I only have the sync loglevel turned on. I assume something like the stats loglevel would show that? On May 6, 2015 12:03 PM, "Quanah Gibson-Mount" quanah@zimbra.com wrote:
--On May 6, 2015 at 11:55:13 AM -0400 Brendan Kearney bpk678@gmail.com wrote:
i am trying to get kerberos id <--> ldap object mapping down for dovecot,
and seem to have hit a wall.
i have the kerberos service principal created and a keytab populated. i can successfully kinit using the keytab and get a TGT for the imap/test.bpk2.com@BPK2.COM id. when i run ldapwhoami i get:
SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com
What do the OpenLDAP logs show the binding ID to be?
--Quanah
-- Quanah Gibson-Mount Platform Architect Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
--On May 6, 2015 at 12:14:35 PM -0400 brendan kearney bpk678@gmail.com wrote:
Will have to check. Right now I only have the sync loglevel turned on. I assume something like the stats loglevel would show that?
Correct.
On 05/06/2015 12:39 PM, Quanah Gibson-Mount wrote:
--On May 6, 2015 at 12:14:35 PM -0400 brendan kearney bpk678@gmail.com wrote:
Will have to check. Right now I only have the sync loglevel turned on. I assume something like the stats loglevel would show that?
Correct.
conn=2838 op=3 BIND authcid="imap/test.bpk2.com@BPK2.COM" authzid="imap/test.bpk2.com@BPK2.COM"
conn=2838 op=3 BIND dn="uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
vs
conn=2837 op=3 BIND dn="cn=server2,ou=computers,dc=bpk2,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
conn=2837 op=3 BIND authcid="host/server2.bpk2.com@BPK2.COM" authzid="host/server2.bpk2.com@BPK2.COM"
On 05/06/2015 01:05 PM, Brendan Kearney wrote:
On 05/06/2015 12:39 PM, Quanah Gibson-Mount wrote:
--On May 6, 2015 at 12:14:35 PM -0400 brendan kearney bpk678@gmail.com wrote:
Will have to check. Right now I only have the sync loglevel turned on. I assume something like the stats loglevel would show that?
Correct.
conn=2838 op=3 BIND authcid="imap/test.bpk2.com@BPK2.COM" authzid="imap/test.bpk2.com@BPK2.COM"
conn=2838 op=3 BIND dn="uid=imap/test.bpk2.com,ou=domainusers,ou=users,dc=bpk2,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
vs
conn=2837 op=3 BIND dn="cn=server2,ou=computers,dc=bpk2,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56
conn=2837 op=3 BIND authcid="host/server2.bpk2.com@BPK2.COM" authzid="host/server2.bpk2.com@BPK2.COM"
found it...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761407
i needed to restart slapd to pick up the newly added mappings.
[root@test dovecot]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: imap/test.bpk2.com@BPK2.COM
Valid starting Expires Service principal 05/06/2015 14:19:20 05/07/2015 14:19:20 krbtgt/BPK2.COM@BPK2.COM renew until 05/13/2015 14:19:20
[root@test dovecot]# ldapwhoami -h server1 SASL/GSSAPI authentication started SASL username: imap/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=mda,ou=processusers,ou=users,dc=bpk2,dc=com
and
[root@test postfix]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: smtp/test.bpk2.com@BPK2.COM
Valid starting Expires Service principal 05/06/2015 14:22:28 05/07/2015 14:22:28 krbtgt/BPK2.COM@BPK2.COM renew until 05/13/2015 14:22:28
[root@test postfix]# ldapwhoami -h server2 SASL/GSSAPI authentication started SASL username: smtp/test.bpk2.com@BPK2.COM SASL SSF: 56 SASL data security layer installed. dn:uid=mta,ou=processusers,ou=users,dc=bpk2,dc=com
thanks,
brendan
openldap-technical@openldap.org
-
brendan kearney -
Brendan Kearney
-
Quanah Gibson-Mount