[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Anonymously binding despite '-U ....' to ldapsearch

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Turbo Fredriksson

> >>>>> "Howard" == Howard Chu <hyc@highlandsun.com> writes:
>     Howard> Judging from your ACLs, you're still using the old format
>     Howard> for SASL DNs. See the 2.1 Admin Guide for details on the
>     Howard> new SASL DN format.
>     Howard> In OpenLDAP 2.1.12, the SASL authorization DN is logged
>     Howard> with AUTHZ keyword instead of BIND. This inconsistency has
>     Howard> been fixed in 2.1.13, using BIND throughout. So, one of
>     Howard> the reasons you're not seeing the DN you expect is because
>     Howard> you're grepping for the wrong log message.
> I found out that using:
> ----- s n i p -----
> sasl-regexp
>         uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
>         uid=$1,ou=People,dc=bayour,dc=com
> [...]
> access to * by dn="uid=turbo,ou=People,dc=bayour,dc=com" write
> ----- s n i p -----
> gave the attribute I was looking for. Now I come to the more
> difficult one (I really _HATE_ regexp :). My users i are also
> located under other branches than 'dc=bayour.com'. How would
> I write an sasl-regexp that will catch this?
> Example:
> ----- s n i p -----
> dn: uid=malin,ou=People,dc=sundqvist,dc=com
>         access to '.*,dc=sundqvist,dc=com'
>         access to '.*,dc=fredriksson,dc=com'
>         access to '.*,dc=bayour,dc=com'
> dn: uid=jonathan,ou=People,dc=intelligence-5,dc=com
>         access to '.*,dc=intelligence-5,dc=com'
> dn: uid=jens,ou=People,dc=agby,dc=com
>         access to '.*,dc=agby,dc=com'
> ----- s n i p -----
> The 'uid=XXX' is the same as the Kerberos principal/username so
> that might help things...

I suppose it would be too obvious to presume that your users in different
parts of your tree are also using different Kerberos realms. If they do have
different realms, then the solution is trivial:


If they aren't in unique realms, you have a problem, because you would be
mapping names from a single Kerberos namespace into multiple LDAP namespaces,
and you have no way to resolve the conflict if the same uid appears in
multiple LDAP DNs.

Again, assuming you have separate realms, and that you have a valid "dc=com"
database that holds your "dc=foo,dc=com", "dc=bar,dc=com" etc. subtrees ,
this regexp would also do the mapping:


With only a single Kerberos realm, you can do


and hope no conflicts occur... Obviously the correct thing to do is to make
enforce a 1-to-1 mapping of LDAP DNs to Kerberos principals.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support