[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos Realm -> SASL Realm in dn

To: Kevin <openldap@gnosys.biz>
Subject: Re: Kerberos Realm -> SASL Realm in dn
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 17 Oct 2004 15:02:53 -0700
Cc: Openldap list <openldap-software@OpenLDAP.org>
In-reply-to: <1098040876.21517.328.camel@hera.folkvang.org>
References: <1098040876.21517.328.camel@hera.folkvang.org>

OpenLDAP Software, itself, has little to do with this.
sasl-host and/or -R are set, they are passed to Cyrus SASL.
What Cyrus SASL does with them is, well, Cyrus SASL's business.
Likewise, slapd(8) only includes a realm component in the
authzDN if and only if Cyrus SASL reports a realm.  I note
that Cyrus SASL behavior here is likely dependent not only
on the client/server, but on the mechanism implementation.

I suggest you reproduce the behavior using Cyrus SASL tools,
such as their sample client/server, and then direct any
question you have regarding this behavior to the Cyrus SASL
mailing list.

Kurt

At 12:21 PM 10/17/2004, Kevin wrote:
>Hi List-
>
>Since I removed sasl-realm from slapd.conf, I've noticed that when
>examining my Kerberos credentials cache, the ldap clients do not (by
>default, anyway) convert the Kerberos Realm found in those credentials
>to a SASL realm in a dn.
>
>In particular, I'm looking at this process:
>
>tombstone ksf-zeus # kdestroy
>tombstone ksf-zeus # kinit ldap/admin
>Password for ldap/admin@GNOSYS.US:
>tombstone ksf-zeus # ldapwhoami
>SASL/GSSAPI authentication started
>SASL username: ldap/admin@GNOSYS.US
>SASL SSF: 56
>SASL installing layers
>dn:uid=ldap/admin,cn=gssapi,cn=auth
>tombstone ksf-zeus #
>
>I have no sasl-regexp's related to this process whatsoever, so I presume
>that slapd or ldapwhoami is stripping the kerberos realm GNOSYS.US from
>the SASL username that it finds in the credentials cache and throwing it
>away when composing the dn:uid=ldap/admin,cn=gssapi,cn=auth.
>
>Is there any way for me to either have the kerberos realm placed in the
>dn as a SASL realm (in the form of dn: uid=ldap/admin, cn=GNOSYS.US,
>cn=gssapi, cn=auth and so as to permit using several kerberos---or
>other---realms and no sasl-realm option in slapd.conf) or to keep the
>whole SASL username (complete with kerberos realm) as the uid in the dn
>so I can manipulate it myself with a sasl-regexp?
>
>I googled for this issue, scanned the man pages, checked the last 6
>months or so of the archives, and checked the faq-o-matic, but don't see
>this issue addressed anywhere.
>
>In fact, it seems strange to me but I don't even see this behavior when
>I use the -R option on the command line to explicitly list the realm,
>and from man ldapwhoami, I would think that I should.  Perhaps I'm
>misunderstanding.
>
>tombstone ksf-zeus # man ldapwhoami
><snip>
>-R realm
>     Specify the realm of authentication ID for SASL bind.
>     The form of the realm depends on the actual SASL mechanism used.
><snip>
>
>tombstone ksf-zeus # ldapwhoami -R GNOSYS.US
>SASL/GSSAPI authentication started
>SASL username: ldap/admin@GNOSYS.US
>SASL SSF: 56
>SASL installing layers
>dn:uid=ldap/admin,cn=gssapi,cn=auth
>tombstone ksf-zeus # ldapwhoami -R gnosys.us
>SASL/GSSAPI authentication started
>SASL username: ldap/admin@GNOSYS.US
>SASL SSF: 56
>SASL installing layers
>dn:uid=ldap/admin,cn=gssapi,cn=auth
>tombstone ksf-zeus #
>
>TIA for any thoughts.
>
>-Kevin
>http://www.gnosys.us

Follow-Ups:
- Re: Kerberos Realm -> SASL Realm in dn
  - From: Kevin <openldap@gnosys.biz>

References:
- Kerberos Realm -> SASL Realm in dn
  - From: Kevin <openldap@gnosys.biz>

Prev by Date: client writing, which to use: ldap_start_tls_s/ldap_set_option
Next by Date: Questions about OpenLDAP2.2~ release
Index(es):
- Chronological
- Thread