Hello list.
I successfuly configured OpenLDAP for kerberos autentication, and user
mapping:
authz-regexp "uid=([^,]+),cn=gssapi,cn=auth"
"ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)"
However, mapping doesn't work when autenticating with a user from a
different realm than the one from the server. The logs show the realm is
not stripped from username, as it should be:
Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
authcid="rou...@saclay.inria.fr" authzid="rou...@saclay.inria.fr"
Oct 5 17:30:45 babaorum slapd[28598]: conn=24 op=2 BIND
dn="uid=rou...@saclay.inria.fr,cn=gssapi,cn=auth" mech=GSSAPI
sasl_ssf=56 ssf=56
authcid should be 'rousse', not 'rou...@saclay.inria.fr'. This is a
classic problem, and kerberos provides mapping rules for users of
external domains, such as described here:
http://www.fnal.gov/docs/strongauth2003/html/krb5conf.html
I used those rules succesfully with mod_krb, for instance. However,
openldap seems to ignore them. I had to change the previous regexp to:
authz-regexp "uid=([^,@]+)(@[^,]+)?,cn=gssapi,cn=auth"
"ldap:///ou=users,dc=futurs,dc=inria,dc=fr??sub?(uid=$1)
Is this intentional ?
--
BOFH excuse #58:
high pressure system failure
