[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Handling slapd.d in OpenLDAP and Kerberos

On Fri, Jan 07, 2011 at 09:22:01PM +0530, sarathkrishna89@gmail.com wrote:
>    For authenticating via OpenLDAP, the principles needs to be rewritten
>    (using authz-policy and authz-regexp). We know how to do
>    that in older version of OpenLDAP which had (slapd.conf) but don't know
>    how to do the same in new OpenLDAP which has slapd.d directory instead.
>    The manuals also doesn't say anything on this issue.

man slapd-config

scroll down to:


>    authz-regexp
>         uid=(.*),cn=[2]example.com,cn=GSSAPI,cn=auth
>         uid=$1,ou=people,dc=example,dc=com

If you are using multiple Kerberos realms, please note that the current
documentation of auth DNs is wrong (see ITS#6757)

Proposed correction is below.



--- openldap/doc/guide/admin/sasl.sdf.orig	2011-01-03 15:15:55.754879001 +0530
+++ openldap/doc/guide/admin/sasl.sdf	2011-01-03 15:38:55.188208002 +0530
@@ -135,25 +135,35 @@
 For the purposes of authentication and authorization, {{slapd}}(8)
 associates an authentication request DN of the form:
->	uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
+>	uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
+The realm is omitted by Cyrus SASL if it's equal to the default realm of the
+server in {{FILE:/etc/krb5.conf}}.
 Continuing our example, a user with the Kerberos principal
 {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
->	uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>	uid=kurt,cn=gssapi,cn=auth
 and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
 associated DN:
->	uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
+>	uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
-The authentication request DN can be used directly ACLs and
+The authentication request DN can be used directly in ACLs and
 {{EX:groupOfNames}} "member" attributes, since it is of legitimate
 LDAP DN format.  Or alternatively, the authentication DN could be
 mapped before use.  See the section {{SECT:Mapping Authentication
 Identities}} for details.
+If you configure olcSaslRealm then it is always inserted as an extra
+component in the authorization DN, regardless of the realm of the client.
+For example, if you set olcSaslRealm to {{EX:example.com}} then you will
+>	uid=kurt,cn=example.com,cn=gssapi,cn=auth
+>	uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth