[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: getting DN from client with GSSAPI bind?

--On Tuesday, January 23, 2007 4:33 PM -0500 Kenneth Rogers <kenneth.rogers@gmail.com> wrote:


After a successful GSSAPI binding, is there an easy way to get the DN
for that user from the server?

Well, are you mapping the users to an entry in the server? If yes, then use that DN.

If not, then use the SASL authz ID. The logs are generally pretty clear at loglevel 256 what DN is being used.

For example:

Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND authcid="webauth/proxy.stanford.edu@stanford.edu" authzid="webauth/proxy.stanford.edu@stanford.edu"

So here's the authz DN (webauth/proxy.stanford.edu@stanford.edu).

Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND dn="cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu" mech=GSSAPI ssf=56

And here's the DN of what I map it to:


In case you haven't played with mappings, here's how the mapping is done:

sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/$1@stanford.edu

And this is what the internal entry looks like:

ldap1:~> lsearch cn=proxy
dn: cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
objectClass: applicationProcess
objectClass: suApplication
objectClass: krb5Principal
cn: proxy
description: webauth access for proxy.stanford.edu
krb5PrincipalName: webauth/proxy.stanford.edu@stanford.edu

Just to give you some thoughts to ponder. ;)


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html