[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos auth-to-local rules

Guillaume Rousse wrote:
Hello list.

I successfuly configured OpenLDAP for kerberos autentication, and user
authz-regexp "uid=([^,]+),cn=gssapi,cn=auth"

However, mapping doesn't work when autenticating with a user from a
different realm than the one from the server. The logs show the realm is
not stripped from username, as it should be:
Oct  5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
authcid="rousse@SACLAY.INRIA.FR" authzid="rousse@SACLAY.INRIA.FR"
Oct  5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
dn="uid=rousse@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI
sasl_ssf=56 ssf=56

authcid should be 'rousse', not 'rousse@SACLAY.INRIA.FR'. This is a
classic problem, and kerberos provides mapping rules for users of
external domains, such as described here:

I used those rules succesfully with mod_krb, for instance. However,
openldap seems to ignore them. I had to change the previous regexp to:
authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth"

Is this intentional ?

The name you see here is the name that Cyrus SASL gave to slapd. To answer the question "is this intentional" you will have to ask the authors of the Cyrus SASL/GSSAPI plugin.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/