Re: openldap and kerberos auth-to-local rules

[Howard Chu <hyc@symas.com>]

Guillaume Rousse wrote:
> Hello list.
>
> I successfuly configured OpenLDAP for kerberos autentication, and user
> mapping:
> authz-regexp "uid=([^,]+),cn=gssapi,cn=auth"
>       "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
>
> However, mapping doesn't work when autenticating with a user from a
> different realm than the one from the server. The logs show the realm is
> not stripped from username, as it should be:
> Oct  5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
> authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR"
> Oct  5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
> dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI
> sasl_ssf=56 ssf=56
>
> authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a
> classic problem, and kerberos provides mapping rules for users of
> external domains, such as described here:
> http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
>
> I used those rules succesfully with mod_krb, for instance. However,
> openldap seems to ignore them. I had to change the previous regexp to:
> authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth"
>       "ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
>
> Is this intentional ?

The name you see here is the name that Cyrus SASL gave to slapd. To answer the 
question "is this intentional" you will have to ask the authors of the Cyrus 
SASL/GSSAPI plugin.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/