[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL External Clarification

To: Liste OpenLDAP Software <openldap-software@OpenLDAP.org>
Subject: SASL External Clarification
From: Francois Beretti <francois.beretti@enatel.com>
Date: 12 Mar 2003 11:28:32 +0100

Hello all

I am about to close my SASL/External first experience, and try
SASL/GSSAPI.
But before this I'd like to answer some questions I have...

I have two users on my system, francois and lambda
For these two users I have valid certificates, with 
  cn=francois,ou=people,dc=enatel,dc=local
  cn=lambda,ou=people,dc=enatel,dc=local
as subjects. The two are declared in the .ldaprc files, with their
private keys
root has also this stuff

I have one entry
  cn=francois,ou=people,dc=enatel,dc=local
in my directory.
I also have an administrator entry :
  cn=root,dc=enatel,dc=local

I defined these ACLs :
# ACLs
access  to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

access  to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * none

when I run ldapsearch -Y EXTERNAL -ZZ as francois,
I got all the dn "cn=francois,..." data, and nothing else

when I run it as root, I got all the entries data

when I run it as lambda, I got nothing

All this stuff agrees with my ACLs, it's OK

but when I look at the log for lambda's search, I see :

Mar 12 10:40:56 linux-integ slapd[2613]: SASL Canonicalize [conn=5]:
authcid="cn=lambda,ou=people,dc=enatel,dc=local"
Mar 12 10:40:56 linux-integ slapd[2613]: slap_sasl_getdn:
id=cn=lambda,ou=people,dc=enatel,dc=local
Mar 12 10:40:56 linux-integ slapd[2613]: ==>slap_sasl2dn: converting
SASL name cn=lambda,ou=people,dc=enatel,dc=local to a DN
Mar 12 10:40:56 linux-integ slapd[2613]: slap_sasl_regexp: converting
SASL name cn=lambda,ou=people,dc=enatel,dc=local
Mar 12 10:40:56 linux-integ slapd[2613]: <==slap_sasl2dn: Converted SASL
name to <nothing>
Mar 12 10:40:56 linux-integ slapd[2613]: SASL Canonicalize [conn=5]:
authcDN="cn=lambda,ou=people,dc=enatel,dc=local"
Mar 12 10:40:56 linux-integ slapd[2613]: SASL Authorize [conn=5]:
authcid="cn=lambda,ou=people,dc=enatel,dc=local"
authzid="cn=lambda,ou=people,dc=enatel,dc=local"
Mar 12 10:40:56 linux-integ slapd[2613]: conn=5 op=1 BIND
authcid="cn=lambda,ou=people,dc=enatel,dc=local"
Mar 12 10:40:56 linux-integ slapd[2613]: SASL Authorize [conn=5]: 
authorization allowed
Mar 12 10:40:56 linux-integ slapd[2613]: send_ldap_sasl: err=0 len=-1
Mar 12 10:40:56 linux-integ slapd[2613]: send_ldap_response: msgid=2
tag=97 err=0
Mar 12 10:40:56 linux-integ slapd[2613]: <== slap_sasl_bind: rc=0
Mar 12 10:40:56 linux-integ slapd[2613]: conn=5 op=1 AUTHZ
dn="cn=lambda,ou=people,dc=enatel,dc=local" mech=EXTERNAL ssf=0
Mar 12 10:40:56 linux-integ slapd[2613]: do_bind: SASL/EXTERNAL bind:
dn="cn=lambda,ou=people,dc=enatel,dc=local" ssf=0

so the ldapsearch client seems to do a bind with a user who doesn't
exist in the directory !!

then the client starts the search :
slapd[2612]: conn=5 op=2 SRCH base="dc=enatel,dc=local" scope=2
filter="(objectClass=*)"
indeed, for each entry the access is denied

but according to my ACLs, a user who doesn't exist in the directory
shouldn't be able to bind to it...
Dieter said that I was doing an anonymous bind (I haven't yet these
ACLs)
Now anonymous bind should be forbidden
Am I wrong ?

If I am, how can I do to get the desired behavior (that is : no bind for
users who do not exist in the directory) ?

As I understand it, sasl ext. is not a real authentication, because no
challenge string is sent to the client to decrypt it, for example. The
server reads the user's cert and uses it to encrypt data sent to him, so
nobody else is able to communicate as this user. But the server doesn't
seem to say "You are not authenticated" to a user who is not in the
directory...

Can the user's certificate used for this encrypted communication be
stored in the directory ?
In my opinion this could make things simplest, a user would only have to
tell the server that he is cn=francois,ou=people,dc=enatel,dc=local then
the server would fetch his certificate in the userCertificate attribute
of this entry, and use it to communicate with the user, who would just
use his private key to decrypt data

If I want to make a program, who retrieves data from an entry in the
directory, and uses sasl external to authenticate, how can I check that
the user is authenticated ? By trying a search on his data ? I think I
am totally wrong


If anyone can answer / correct me...

thanks in advance

Francois Beretti

Follow-Ups:
- Re: SASL External Clarification
  - From: Dieter Kluenter <dieter@dkluenter.de>
- Re: SASL External Clarification
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: back-sql problem
Next by Date: Re: Solved: Re: More questions on db-4.1 (on SuSE 8.1)
Index(es):
- Chronological
- Thread