[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap kerberos ticket - GSSAPI

To: ando@sys-net.it
Subject: Re: Ldap kerberos ticket - GSSAPI
From: "Manel Euro" <euro_32@hotmail.com>
Date: Wed, 30 Mar 2005 10:51:36 +0000
Cc: openldap-software@OpenLDAP.org
In-reply-to: <424A4723.60008@sys-net.it>


See bellow.

From: Pierangelo Masarati <ando@sys-net.it>
To: Manel Euro <euro_32@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: Ldap kerberos ticket - GSSAPI
Date: Wed, 30 Mar 2005 08:28:51 +0200
Manel Euro wrote:
Hi, I have configured Kerberos, OpenLdap and Cyrus-Sasl. Everything is working ok . However, I was doing some testing and found the following situation.

When a Kerberos principal, not represented on the ldap directory, runs the command ldapwhoami I get:
SASL/GSSAPI authentication started
SASL username: testePac@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testepac,cn=example.net,cn=gssapi,cn=auth
when a principal which is also on the directoyr tree runs ldapadmin I get:
SASL/GSSAPI authentication started
SASL username: testeF@EXAMPLE.NET
SASL SSF: 56
SASL installing layers
dn:uid=testef,ou=locationA,ou=people,dc=example,dc=net
So, I see that the dns are different. However, on both situation I get a kerberos TGS ticket for LDAP.
How can I avoid this happening?
sasl-regexp uid=(.+),cn=EXAMPLE.NET,cn=gssapi,cn=auth ldap:///dc=example,dc=net??sub?(|(uid=$1)(krb5PrincipalName=$1@EXAMPLE.NET))
ACLS:
access to *
  by self write
  by users read
  by anonymous read
when the user gets there, it's already authenticated, and you're supposed to trust the GSSAPI mech.


Right, I agree.

Of course, it's up to the admin to give specific privileges to users that exist in the directory as opposed to those that authenticate but do not exist in the directory. What you should do is give privileges only to __authorized__users, i.e. those that do not authorize (pass sasl-regexp phase), and thus have a DN ending with "cn=auth", could be treated as anonymous. You can obtain this by means of ACLs, e.g.


access to *
   by dn.subtree="cn=auth" none
   by self write
   by * read

Ok. Thank you, this is exactly what I need. This way the use of the acl solves my problem. I forgot that the DNs were different (althow I mentioned it on my previous email), thus subject to different ACLs.

Note, in fact, that in your example you make no distinction between users and anonymous, since you grant both read access, so you shouldn't even notice the problem, and your ACL could be

I know. This is temporary. I am still equating the use of saslauthd to get uid/gid before kerberos authentication.

access to *
   by self write
   by * read
since I don't see why you should give auth'd users not present in the directory less privileges than anonymous.

As soon as I finish setting up all the system no anonymous access will be allowed.

Thank you for your email.

M

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

_________________________________________________________________ Don?t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/

References:
- Re: Ldap kerberos ticket - GSSAPI
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Ldap kerberos ticket - GSSAPI
Next by Date: Re: about dns-ldap
Index(es):
- Chronological
- Thread