Re: authz-regexp behavior with GSSAPI

[Dan White <dwhite@cafedemocracy.org>]

> From: Dan White [dwhite@olp.net]
> Sent: Sunday, August 30, 2015 10:09 AM
> To: Peter Heinemann
> Cc: openldap-technical@openldap.org
> Subject: Re: authz-regexp behavior with GSSAPI
>
> On 08/26/15 12:51 +0000, Peter Heinemann wrote:
> > I am trying to figure out different behaviors with authz-regexp in slapd.conf.
>
> Any differences in your /etc/krb5.conf? What is your default realm? Any
> differences in the libraries you're using (cyrus-sasl and kerberos)?

On 08/31/15 13:52 +0000, Peter Heinemann wrote:
> Here are version details:
> openldap 2.4-39
> RHEL 6.5
> cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
> krb5-libs   1.10.3-42
>
> It appears that cross-realm authentication is problematic.  In the
> following results, "success" means that the search specified by the regex
> occurred and the identity was remapped.  Both commands used GSSAPI (-Y for
> ldapwhoami, -M for slapauth):

> so:
>  slapauth appears to work if a realm is explicitly specified with -R  (either cross-realm or within realm), but won't remap if the realm isn't specified.
>  ldapwhoami (and ldapsearch)  works within a realm whether or not the realm is specified with -R;  but won't remap if -R specifies a different realm.

There are several possibilities as to why this behavior might occur. You
might be able to change sasl-host/sasl-realm to make things work
consistently, or change your default realm in krb5.conf.

The pragmatic solution would be to create more than one authz-regexp to
match each/all cases, so that future Kerberos changes don't break your
setup.

--
Dan White