[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authz-regexp behavior with GSSAPI

From: Dan White [dwhite@olp.net]
Sent: Sunday, August 30, 2015 10:09 AM
To: Peter Heinemann
Cc: openldap-technical@openldap.org
Subject: Re: authz-regexp behavior with GSSAPI

On 08/26/15 12:51 +0000, Peter Heinemann wrote:
I am trying to figure out different behaviors with authz-regexp in slapd.conf.

Any differences in your /etc/krb5.conf? What is your default realm? Any
differences in the libraries you're using (cyrus-sasl and kerberos)?

On 08/31/15 13:52 +0000, Peter Heinemann wrote:
Here are version details:
openldap 2.4-39
RHEL 6.5
cyrus-sasl and cyrus-sasl-gssapi 2.1.23-15
krb5-libs   1.10.3-42

It appears that cross-realm authentication is problematic.  In the
following results, "success" means that the search specified by the regex
occurred and the identity was remapped.  Both commands used GSSAPI (-Y for
ldapwhoami, -M for slapauth):

 slapauth appears to work if a realm is explicitly specified with -R  (either cross-realm or within realm), but won't remap if the realm isn't specified.
 ldapwhoami (and ldapsearch)  works within a realm whether or not the realm is specified with -R;  but won't remap if -R specifies a different realm.

There are several possibilities as to why this behavior might occur. You
might be able to change sasl-host/sasl-realm to make things work
consistently, or change your default realm in krb5.conf.

The pragmatic solution would be to create more than one authz-regexp to
match each/all cases, so that future Kerberos changes don't break your

Dan White