[Date Prev][Date Next] [Chronological] [Thread] [Top]
OpenLDAP 2.4 && SASL Auths

To: openldap-software@openldap.org
Subject: OpenLDAP 2.4 && SASL Auths
From: Turbo Fredriksson <turbo@bayour.com>
Date: Sat, 17 Mar 2007 15:04:01 +0100
Organization: LDAP/Kerberos expert wannabe
User-agent: Gnus/5.1007 (Gnus v5.10.7) Emacs/20.7 (gnu/linux)
I've setting up a new primary server and choosed 2.4 (HEAD) as server
for that... Might not be a good idea to use 2.4 on a production environment,
but... :)

Anyway, I set up a authz-regexp as I have on my 2.2 servers like this:
----- s n i p -----
authz-regexp
        uid=(.*),cn=bayour.com,cn=gssapi,cn=auth
        ldap:///c=SE??sub?krb5PrincipalName=$1@BAYOUR.COM
----- s n i p -----

Unfortunatly, ldapwhoami/slapd doesn't mapp this to my DN.
An anonymous LDAP search will retreive my object correctly:
----- s n i p -----
root@rigel# ldapsearch -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo@BAYOUR.COM dn
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL data security layer installed.
dn: uid=turbo,ou=People,o=Fredriksson,c=SE
root@rigel# ldapsearch -x -LLL -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider krb5PrincipalName=turbo@BAYOUR.COM dn
dn: uid=turbo,ou=People,o=Fredriksson,c=SE
----- s n i p -----

And ldapwhoami shows:
----- s n i p -----
root@rigel# ldapwhoami -H ldapi://%2fvar%2frun%2fslapd%2fldapi.provider
SASL/GSSAPI authentication started
SASL username: turbo@BAYOUR.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=turbo,cn=bayour.com,cn=gssapi,cn=auth
----- s n i p -----


Running slapd with '-d -1' shows this when it tries to
map my ticket/authzID (?):
----- s n i p -----
[...]
put_simple_filter: "krb5PrincipalName=turbo@BAYOUR.COM"
begin get_filter
EQUALITY
[...]
slap_sasl2dn: performing internal search (base=c=se, scope=2)
=> hdb_search
bdb_dn2entry("c=se")
=> access_allowed: auth access to "c=SE" "entry" requested
=> dn: [1] 
=> dn: [2] cn=log1
=> dn: [3] cn=log1
=> dn: [4] cn=monitor
=> dn: [5] cn=subschema
=> dn: [6] cn=config
=> acl_get: [8] attr entry
=> acl_mask: access to entry "c=SE", attr "entry" requested
=> acl_mask: to all values by "", (=0) 
<= check a_dynacl
    <= check a_dynacl: aci
        <= aci_list_get_attr_rights test objectClass#public# for entry -> failed
        <= aci_list_get_attr_rights test objectClass#public# for [all] -> failed
        <= aci_list_get_attr_rights test userReference#public# for entry -> failed
        <= aci_list_get_attr_rights test userReference#public# for [all] -> failed
        <= aci_list_get_attr_rights test entry#public# for entry -> ok
        <= aci_list_get_attr_rights rights r,s,c;entry#public# to mask 0x39
        <= aci_list_get_attr_rights test entry#public# for [all] -> failed
        <= aci_list_get_attr_rights test useControls#users# for entry -> failed
        <= aci_list_get_attr_rights test useControls#users# for [all] -> failed
        <= aci_list_get_attr_rights test useEzmlm#users# for entry -> failed
        <= aci_list_get_attr_rights test useEzmlm#users# for [all] -> failed
        <= aci_list_get_attr_rights test useBind9#users# for entry -> failed
        <= aci_list_get_attr_rights test useBind9#users# for [all] -> failed
        <= aci_list_get_attr_rights test useWebSrv#users# for entry -> failed
        <= aci_list_get_attr_rights test useWebSrv#users# for [all] -> failed
        <= aci_list_get_attr_rights test autoReload#users# for entry -> failed
        <= aci_list_get_attr_rights test autoReload#users# for [all] -> failed
        <= aci_list_get_attr_rights test allowServerChange#users# for entry -> failed
        <= aci_list_get_attr_rights test allowServerChange#users# for [all] -> failed
        <= aci_list_get_attr_rights test whoAreWe#users# for entry -> failed
        <= aci_list_get_attr_rights test whoAreWe#users# for [all] -> failed
        <= aci_list_get_attr_rights test language#users# for entry -> failed
        <= aci_list_get_attr_rights test language#users# for [all] -> failed
        <= aci_list_get_attr_rights test hostMaster#users# for entry -> failed
        <= aci_list_get_attr_rights test hostMaster#users# for [all] -> failed
        <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for entry -> failed
        <= aci_list_get_attr_rights test ezmlmBinaryPath#users# for [all] -> failed
        <= aci_list_get_attr_rights test krb5RealmName#users# for entry -> failed
        <= aci_list_get_attr_rights test krb5RealmName#users# for [all] -> failed
        <= aci_list_get_attr_rights test krb5AdminServer#users# for entry -> failed
        <= aci_list_get_attr_rights test krb5AdminServer#users# for [all] -> failed
        <= aci_list_get_attr_rights test krb5PrincipalName#users# for entry -> failed
        <= aci_list_get_attr_rights test krb5PrincipalName#users# for [all] -> failed
        <= aci_list_get_attr_rights test krb5AdminKeytab#users# for entry -> failed
        <= aci_list_get_attr_rights test krb5AdminKeytab#users# for [all] -> failed
        <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for entry -> failed
        <= aci_list_get_attr_rights test krb5AdminCommandPath#users# for [all] -> failed
        <= aci_list_get_attr_rights test controlBaseDn#users# for entry -> failed
        <= aci_list_get_attr_rights test controlBaseDn#users# for [all] -> failed
        <= aci_list_get_attr_rights test ezmlmAdministrator#users# for entry -> failed
        <= aci_list_get_attr_rights test ezmlmAdministrator#users# for [all] -> failed
        <= aci_list_get_attr_rights test controlsAdministrator#users# for entry -> failed
        <= aci_list_get_attr_rights test controlsAdministrator#users# for [all] -> failed
        <= aci_list_get_attr_rights test useACI#users# for entry -> failed
        <= aci_list_get_attr_rights test useACI#users# for [all] -> failed
        <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for entry -> failed
        <= aci_list_get_attr_rights test [all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se for [all] -> ok
        <= aci_list_get_attr_rights rights w,r,s,c,x;[all]#access-id#uid=turbo,ou=people,o=fredriksson,c=se to mask 0x37d
        <= aci_mask grant =rsc deny =0
<= acl_mask: [2] applying +rsc (stop)
<= acl_mask: [2] mask: =rsc
=> slap_access_allowed: auth access denied by =rsc
=> access_allowed: no more rules
----- s n i p -----

So question number one is: why does it start in my suffix?
And why does it fail, even though it succeeded in what it
was looking for (attr 'entry')?


Oh, another thing that would be _nice_ (not that I need it now, but
you never know :).
The following authz-regexp don't work (because krb5Principalname is
case sensitive - ?):
----- s n i p -----
authz-regexp
        uid=(.*),cn=(.*),cn=gssapi,cn=auth
        ldap:///c=SE??sub?krb5PrincipalName=$1@$2
----- s n i p -----

Any ideas on how to do this (without having multiple authz-regexp's)?
Follow-Ups:
- Re: OpenLDAP 2.4 && SASL Auths
  - From: Turbo Fredriksson <turbo@bayour.com>
Prev by Date: Re: Error: Objectclass: value #1 invalid per syntax
Next by Date: Re: OpenLDAP 2.4 && SASL Auths
Index(es):
- Chronological
- Thread