Re: ldapwhoami translate sasl-name to dn

[dieter@dkluenter.de (Dieter Klünter)]

Dieter Klünter <dieter@dkluenter.de> writes:

> Am Fri, 20 Dec 2019 20:54:13 +0100
> schrieb Stefan Kania <stefan@kania-online.de>:
>
>> Hello,
>> 
>> I try to do the authentication in LDAP via Kerberos. The
>> Kerberos-Database is in LDAP, no problem, I can login to the system
>> as a normal user but when I do a "ldapwhomami" I get the following
>> output: -----------------
>> u1-verw@ldapserver:~$ ldapwhoami
>> SASL/GSSAPI authentication started
>> SASL username: u1-verw@EXAMPLE.NET
>> SASL SSF: 256
>> SASL data security layer installed.
>> dn:uid=u1-verw,cn=gssapi,cn=auth
>> -----------------
>> I would like to get the original DN from the user not the
>> dn:*,cn=gssapi,cn=auth. So I put into my configuration:> [...]
>
> I face the same problem with OpenIndiana. To my experience it's only 
> GSSAPI, DIGEST-MD5 and CRAM-MD5 work as expected. But I must admit, it
> is only on Solaris not on Linux.

A few examples of my sides:
 
KDC: raspberrypi, OS raspian
host: pink, OS OpenSUSE Tumbleweed
host: indiana OS OpenIndiana

On Indiana:
/usr/lib/openldap/bin/amd64/ldapwhoami -Ygssapi -H
ldap://pink.example.com

SASL/GSSAPI authentication started
SASL username: dieter@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn:cn=dieter kluenter,ou=partner,o=avci,c=de


/usr/lib/openldap/bin/amd64/ldapwhoami -Y gssapi-H ldap://indiana.example.com
SASL/GSSAPI authentication started
SASL username: dieter@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
dn:uid=dieter@example,cn=gssapi,cn=auth


On Tumbleweed:

/usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
SASL/GSSAPI authentication started
SASL username: dieter@EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
dn:uid=dieter@example.com,cn=gssapi,cn=auth


LDAP-Server is OpenLDAP-2.4.48 on all hosts and OS's


-Dieter

--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E