[Date Prev][Date Next] [Chronological] [Thread] [Top]

openldap and kerberos auth-to-local rules

Hello list.

I successfuly configured OpenLDAP for kerberos autentication, and user mapping:
authz-regexp "uid=([^,]+),cn=gssapi,cn=auth"

However, mapping doesn't work when autenticating with a user from a different realm than the one from the server. The logs show the realm is not stripped from username, as it should be: Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR" Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56

authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a classic problem, and kerberos provides mapping rules for users of external domains, such as described here:

I used those rules succesfully with mod_krb, for instance. However, openldap seems to ignore them. I had to change the previous regexp to:
authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth"

Is this intentional ?
BOFH excuse #58:

high pressure system failure