[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos/GSSAPI issues
- To: Howard Chu <hyc@symas.com>
- Subject: Re: Kerberos/GSSAPI issues
- From: Brian Candler <B.Candler@pobox.com>
- Date: Thu, 30 Dec 2010 21:11:41 +0000
- Cc: openldap-technical@openldap.org
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=HXHmMKf/WrCG3ujxMZUVC4BAy6Q=; b=fw5Jfpl o3HWH+diVcaOqYhbYJDjiW2kUjsAs5qiqaA7DvU3zZnn9Kx/qYDWN8NvGtbLtzIn j4Bavfv6KCd/SihCvMdNDKC1yubFOvlMc4GIR2y8qw0uPzADg82viActKenVbEyZ Gg1iEVsWGBPn9cPDcgdJFYxxg7g9dI3nd5L0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to:cc :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=mUwsD4NyStzGS1UPeagsjf85DlOM4+C4L 7f3n3wrkTWXa98mIComRSC7RvLoY5nWjCk70x4caCeZXCdSNSW+kYaLUGr9Rx2va zBVCX90P7NN9WxuGf5eIuK2ipDsFML8g6dDOAop7KztqRDbD77edo1ozKefxXB+J L3oMXIAnr4=
- In-reply-to: <20101229174005.GC4113@talktalkplc.com>
- References: <20101228092656.GA4437@talktalkplc.com> <4D1A6498.1000402@symas.com> <20101229174005.GC4113@talktalkplc.com>
- User-agent: Mutt/1.5.20 (2009-06-14)
On Wed, Dec 29, 2010 at 05:40:05PM +0000, Brian Candler wrote:
> However I've done some testing, and the interaction between the krb5 default
> realm, the olcSaslRealm and the actual realm of the request appears to be
> rather bizarre.
I found a hint here:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/gssapi.php
"if for example you're using Kerberos, the Cyrus SASL library strips out the
@REALM from your identity if you are in the same realm as the server"
This begs the question of what the "server's realm" actually means, and my
previous tests suggest this is just the default realm from krb5.conf. The
oclSaslRealm is a string which is pasted back in if the @REALM has been
stripped out.
To test this properly, I had to set up an environment with cross-realm auth.
The two realms are WS.NSRC.ORG and REALM3.WS.NSRC.ORG
The LDAP server has default_realm=WS.NSRC.ORG and has oclSaslRealm set to
EXAMPLE.COM
(1) If the client has a ticket for inst@WS.NSRC.ORG
then I get authDN="uid=inst,cd=example.com,cn=gssapi,cn=auth"
(2) If the client has a ticket for student@REALM3.WS.NSRC.ORG
then I get authDN="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth"
The server logs (slapd -d 255) for these two cases are shown below.
My result for case (2) is in disagreement with the examples at
http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
which suggests I should have seen
uid=student,cn=realm3.ws.nsrc.org,cn=gssapi,cn=auth
Regards,
Brian.
do_bind: dn () SASL mech GSSAPI
==> sasl_bind: dn="" mech=<continuing> datalen=32
SASL Canonicalize [conn=1000]: authcid="inst"
slap_sasl_getdn: conn 1000 id=inst [len=4]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=inst,cn=example.com,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=inst,cn=example.com,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=inst,cn=example.com,cn=gssapi,cn=auth to a DN
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst,cn=example.com,cn=gssapi,cn=auth"
SASL proxy authorize [conn=1000]: authcid="inst@EXAMPLE.COM" authzid="inst@EXAMPLE.COM"
SASL Authorize [conn=1000]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=inst,cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56
do_bind: dn () SASL mech GSSAPI
==> sasl_bind: dn="" mech=<continuing> datalen=32
SASL Canonicalize [conn=1000]: authcid="student@REALM3.WS.NSRC.ORG"
slap_sasl_getdn: conn 1000 id=student@REALM3.WS.NSRC.ORG [len=26]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=student@REALM3.WS.NSRC.ORG,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth to a DN
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1000]: slapAuthcDN="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth"
SASL proxy authorize [conn=1000]: authcid="student@REALM3.WS.NSRC.ORG" authzid="student@REALM3.WS.NSRC.ORG"
SASL Authorize [conn=1000]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=student@realm3.ws.nsrc.org,cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56