[Date Prev][Date Next]
Re: authz-regexp behavior with GSSAPI
From: Dan White [firstname.lastname@example.org]
Sent: Sunday, August 30, 2015 10:09 AM
To: Peter Heinemann
Subject: Re: authz-regexp behavior with GSSAPI
On 08/26/15 12:51 +0000, Peter Heinemann wrote:
I am trying to figure out different behaviors with authz-regexp in slapd.conf.
Any differences in your /etc/krb5.conf? What is your default realm? Any
differences in the libraries you're using (cyrus-sasl and kerberos)?
On 08/31/15 13:52 +0000, Peter Heinemann wrote:
Here are version details:
cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
It appears that cross-realm authentication is problematic. In the
following results, "success" means that the search specified by the regex
occurred and the identity was remapped. Both commands used GSSAPI (-Y for
ldapwhoami, -M for slapauth):
slapauth appears to work if a realm is explicitly specified with -R (either cross-realm or within realm), but won't remap if the realm isn't specified.
ldapwhoami (and ldapsearch) works within a realm whether or not the realm is specified with -R; but won't remap if -R specifies a different realm.
There are several possibilities as to why this behavior might occur. You
might be able to change sasl-host/sasl-realm to make things work
consistently, or change your default realm in krb5.conf.
The pragmatic solution would be to create more than one authz-regexp to
match each/all cases, so that future Kerberos changes don't break your