'Re: Kerberos and simple binds using same password database?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: Kerberos and simple binds using same password database?
From:       Aleksandar Milivojevic <amilivojevic () pbl ! ca>
Date:       2004-12-30 14:38:22
Message-ID: 41D412DE.4010900 () pbl ! ca
[Download RAW message or body]

Turbo Fredriksson wrote:
>>Among user's attributes (I was missing krb5PrincipalName that search
>>in sasl-regexp looks for):
>>
>>userPassword: {SASL}username@EXAMPLE.COM
>>krb5PrincipalName: username@EXAMPLE.COM
> 
> 
> Well, this was my initial design 'a long time ago' when slapd wasn't as
> evolved as it is now (and sasl-regexp didn't exists). But, from the top
> of my head, you SHOULD be able to do without the 'krb5PrincipalName'
> and it's object class...

I came to same conclusion later in a day (after some thinking and 
experimenting).

> Something like this should do it (also look at the rest of the thread -
> the sasl-regexp is case insensitive):
> 
> sasl-regex
>  uid=(.*),cn=(.*),cn=gssapi,cn=auth
>  ldap:///ou=accts,dc=example,dc=com??sub(userPassword=\{SASL\}$1@$2)
> 
> This will support your multiple realms (as long as domain and realm
> matches!)
> 
> Hm, no it wouldn't - unless you find a way to extract 'example' and 'com'
> as two separate entities (for use instead of 'dc=example,dc=com'). I
> know it's possible to do this (I've seen it done), but I have no
> idea how to do it...

It would work for me, since my LDAP directory organization doesn't need 
to match AD domain organization.  All I need is a way to match LDAP DN 
to Kerberos principal for password checking, and "userPassword: 
{SASL}user@REALM" will do exactly that.  However, in case where they do 
match, something like this should work (I haven't tested it, but this is 
valid regexp):

sasl-regex
uid=([^,]*),cn=([^.]*)\.([^,]*),cn=[^,]*,cn=auth
ldap:///ou=accts,dc=$2,dc=$3??sub(userPassword=\{SASL\}$1@$2.$3)

(above assumes you make sure there's no ',' chars in uid and cn attributes).

The above is from the head, it might contain typos, however it 
demonstrates the general idea.

It will match 2 level domain name only (example.com).  You can add more 
of them for 3, 4, or more level domains in any order you wish (only one 
will match).

Of course, one can always go the easy route and match the uid to uid ;-)

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic