[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos Realm -> SASL Realm in dn

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Kerberos Realm -> SASL Realm in dn
From: Kevin <openldap@gnosys.biz>
Date: Sun, 17 Oct 2004 15:21:16 -0400

Hi List-

Since I removed sasl-realm from slapd.conf, I've noticed that when
examining my Kerberos credentials cache, the ldap clients do not (by
default, anyway) convert the Kerberos Realm found in those credentials
to a SASL realm in a dn.

In particular, I'm looking at this process:

tombstone ksf-zeus # kdestroy
tombstone ksf-zeus # kinit ldap/admin
Password for ldap/admin@GNOSYS.US:
tombstone ksf-zeus # ldapwhoami
SASL/GSSAPI authentication started
SASL username: ldap/admin@GNOSYS.US
SASL SSF: 56
SASL installing layers
dn:uid=ldap/admin,cn=gssapi,cn=auth
tombstone ksf-zeus #

I have no sasl-regexp's related to this process whatsoever, so I presume
that slapd or ldapwhoami is stripping the kerberos realm GNOSYS.US from
the SASL username that it finds in the credentials cache and throwing it
away when composing the dn:uid=ldap/admin,cn=gssapi,cn=auth.

Is there any way for me to either have the kerberos realm placed in the
dn as a SASL realm (in the form of dn: uid=ldap/admin, cn=GNOSYS.US,
cn=gssapi, cn=auth and so as to permit using several kerberos---or
other---realms and no sasl-realm option in slapd.conf) or to keep the
whole SASL username (complete with kerberos realm) as the uid in the dn
so I can manipulate it myself with a sasl-regexp?

I googled for this issue, scanned the man pages, checked the last 6
months or so of the archives, and checked the faq-o-matic, but don't see
this issue addressed anywhere.

In fact, it seems strange to me but I don't even see this behavior when
I use the -R option on the command line to explicitly list the realm,
and from man ldapwhoami, I would think that I should.  Perhaps I'm
misunderstanding.

tombstone ksf-zeus # man ldapwhoami
<snip>
-R realm
     Specify the realm of authentication ID for SASL bind.
     The form of the realm depends on the actual SASL mechanism used.
<snip>

tombstone ksf-zeus # ldapwhoami -R GNOSYS.US
SASL/GSSAPI authentication started
SASL username: ldap/admin@GNOSYS.US
SASL SSF: 56
SASL installing layers
dn:uid=ldap/admin,cn=gssapi,cn=auth
tombstone ksf-zeus # ldapwhoami -R gnosys.us
SASL/GSSAPI authentication started
SASL username: ldap/admin@GNOSYS.US
SASL SSF: 56
SASL installing layers
dn:uid=ldap/admin,cn=gssapi,cn=auth
tombstone ksf-zeus #

TIA for any thoughts.

-Kevin
http://www.gnosys.us

Follow-Ups:
- Re: Kerberos Realm -> SASL Realm in dn
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: SOLVED
Next by Date: client writing, which to use: ldap_start_tls_s/ldap_set_option
Index(es):
- Chronological
- Thread