This patch separate sasl_user from keytab.
For some reason OpenLDAP refuse login if I use sasl_user. OpenLDAP try
to do proxy login which always fail. openldap clients (ldapsearch) sends
empty sasl_user for GSSAPI login. To send empty sasl_user we need
separate option for krb5 principal so we could init principal from keytab.
Here is sample config:
dynamic-db "ldapdns" {
llibrary "ldap.so";
arg "connections 2";
arg "uri ldap://myhost";;
arg "base ou=DNS,dc=mybase";
arg "cache_ttl 300";
arg "auth_method sasl";
arg "krb5_keytab FILE:/etc/named/named.keytab";
arg "krb5_principal dns/myhost";
arg "sasl_mech GSSAPI";
}
Best regards,
Zoran Pericic
---
diff -urN bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c
bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c
--- bind-dyndb-ldap-0.1.0b.org/src/ldap_helper.c 2010-03-24
11:55:30.000000000 +0100
+++ bind-dyndb-ldap-0.1.0b.krb5_principal/src/ldap_helper.c
2010-11-18 00:17:57.503920016 +0100
@@ -128,6 +128,7 @@
ldap_auth_t auth_method;
ld_string_t *bind_dn;
ld_string_t *password;
+ ld_string_t *krb5_principal;
ld_string_t *sasl_mech;
ld_string_t *sasl_user;
ld_string_t *sasl_auth_name;
@@ -293,6 +294,7 @@
{ "auth_method", default_string("none") },
{ "bind_dn", default_string("") },
{ "password", default_string("") },
+ { "krb5_principal", default_string("") },
{ "sasl_mech", default_string("GSSAPI") },
{ "sasl_user", default_string("") },
{ "sasl_auth_name", default_string("") },
@@ -330,6 +332,7 @@
CHECK(str_new(mctx, &ldap_inst->base));
CHECK(str_new(mctx, &ldap_inst->bind_dn));
CHECK(str_new(mctx, &ldap_inst->password));
+ CHECK(str_new(mctx, &ldap_inst->krb5_principal));
CHECK(str_new(mctx, &ldap_inst->sasl_mech));
CHECK(str_new(mctx, &ldap_inst->sasl_user));
CHECK(str_new(mctx, &ldap_inst->sasl_auth_name));
@@ -346,6 +349,7 @@
ldap_settings[i++].target = auth_method_str;
ldap_settings[i++].target = ldap_inst->bind_dn;
ldap_settings[i++].target = ldap_inst->password;
+ ldap_settings[i++].target = ldap_inst->krb5_principal;
ldap_settings[i++].target = ldap_inst->sasl_mech;
ldap_settings[i++].target = ldap_inst->sasl_user;
ldap_settings[i++].target = ldap_inst->sasl_auth_name;
@@ -380,13 +384,24 @@
}
/* check we have the right data when SASL/GSSAPI is selected */
- if ((ldap_inst->auth_method == AUTH_SASL) &&
- (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
- if ((ldap_inst->sasl_user == NULL) ||
- (str_len(ldap_inst->sasl_user) == 0)) {
- log_error("Sasl mech GSSAPI defined but sasl_user is empty");
- result = ISC_R_FAILURE;
- goto cleanup;
+ if((ldap_inst->auth_method == AUTH_SASL) &&
+ (str_casecmp_char(ldap_inst->sasl_mech, "GSSAPI") == 0)) {
+ if((ldap_inst->krb5_principal == NULL) &&
+ (str_len(ldap_inst->krb5_principal) == 0)) {
+ if((ldap_inst->sasl_user == NULL) &&
+ (str_len(ldap_inst->sasl_user) == 0)) {
+ char hostname[255];
+ if(gethostname(hostname, 255) != 0) {
+ log_error("SASL mech GSSAPI defined but
krb5_principal and sasl_user are empty. Could not get hostname");
+ result = ISC_R_FAILURE;
+ goto cleanup;
+ } else {
+ str_sprintf(ldap_inst->krb5_principal, "dns/%s",
hostname);
+ log_debug(2, "SASL mech GSSAPI defined but
krb5_principal and sasl_user are empty, using default %s",
str_buf(ldap_inst->krb5_principal));
+ }
+ } else {
+ str_copy(ldap_inst->krb5_principal, ldap_inst->sasl_user);
+ }
}
}
@@ -447,6 +462,7 @@
str_destroy(&ldap_inst->base);
str_destroy(&ldap_inst->bind_dn);
str_destroy(&ldap_inst->password);
+ str_destroy(&ldap_inst->krb5_principal);
str_destroy(&ldap_inst->sasl_mech);
str_destroy(&ldap_inst->sasl_user);
str_destroy(&ldap_inst->sasl_auth_name);
@@ -1618,7 +1634,7 @@
isc_result_t result;
LOCK(&ldap_inst->kinit_lock);
result = get_krb5_tgt(ldap_inst->mctx,
- str_buf(ldap_inst->sasl_user),
+ str_buf(ldap_inst->krb5_principal),
str_buf(ldap_inst->krb5_keytab));
UNLOCK(&ldap_inst->kinit_lock);
if (result != ISC_R_SUCCESS)
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
