Re: Ldap kerberos ticket - GSSAPI

[Donn Cave <donn@u.washington.edu>]

On Tuesday, March 29, 2005, at 01:50 PM, Manel Euro wrote:

> I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is  
> working ok . However, I was doing some testing and found the following  
> situation.
>
> When a Kerberos principal, not represented on the ldap directory, runs  
> the command ldapwhoami  I get:
>
> SASL/GSSAPI authentication started
> SASL username: testePac@EXAMPLE.NET
> SASL SSF: 56
> SASL installing layers
> dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth
>
> when a principal which is also on the directoyr tree runs ldapadmin I  
> get:
>
> SASL/GSSAPI authentication started
> SASL username: testeF@EXAMPLE.NET
> SASL SSF: 56
> SASL installing layers
> dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net
>
>
> So, I see that the dns are different. However, on both situation I get  
> a kerberos TGS ticket for LDAP.
>
> How can I avoid this happening?
>
> sasl-regexp     uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth   
> ldap:/// 
> dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))

From your sasl-regexp it isn't clear to me what you want, but logically
I think it follows that if you want principals who are represented in  
the
directory to have similar DNs to those who are not, then you must want
them all in the form of the first one who was not in there, not the  
second.

If that's true, then I think you should use a simpler sasl-regexp, like
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth  
uid=$1,cn=example.net,cn=gssapi,cn=auth

(I'm assuming that the predicate has been working for you - in the  
version
I'm using, GSSAPI authentications from my own realm are  
uid=x,cn=gssapi,... -
not uid=x,cn=realm,cn=gssapi,...  And if you're dealing with external  
realms it
might be a good idea to put them somewhere in the result DN, as I did  
not do
above.)

	Donn Cave, donn@u.washington.edu