On Wed, Dec 29, 2010 at 05:40:05PM +0000, Brian Candler wrote: > However I've done some testing, and the interaction between the krb5 default > realm, the olcSaslRealm and the actual realm of the request appears to be > rather bizarre.
I found a hint here: http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/gssapi.php "if for example you're using Kerberos, the Cyrus SASL library strips out the @REALM from your identity if you are in the same realm as the server" This begs the question of what the "server's realm" actually means, and my previous tests suggest this is just the default realm from krb5.conf. The oclSaslRealm is a string which is pasted back in if the @REALM has been stripped out. To test this properly, I had to set up an environment with cross-realm auth. The two realms are WS.NSRC.ORG and REALM3.WS.NSRC.ORG The LDAP server has default_realm=WS.NSRC.ORG and has oclSaslRealm set to EXAMPLE.COM (1) If the client has a ticket for [email protected] then I get authDN="uid=inst,cd=example.com,cn=gssapi,cn=auth" (2) If the client has a ticket for [email protected] then I get authDN="[email protected],cn=example.com,cn=gssapi,cn=auth" The server logs (slapd -d 255) for these two cases are shown below. My result for case (2) is in disagreement with the examples at http://www.openldap.org/doc/admin24/sasl.html#GSSAPI which suggests I should have seen uid=student,cn=realm3.ws.nsrc.org,cn=gssapi,cn=auth Regards, Brian. do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=<continuing> datalen=32 SASL Canonicalize [conn=1000]: authcid="inst" slap_sasl_getdn: conn 1000 id=inst [len=4] => ldap_dn2bv(16) <= ldap_dn2bv(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth >>> dnNormalize: <uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth> => ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0) <= ldap_bv2dn(uid=inst,cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=inst,cn=example.com,cn=gssapi,cn=auth)=0 <<< dnNormalize: <uid=inst,cn=example.com,cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name uid=inst,cn=example.com,cn=gssapi,cn=auth to a DN <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst,cn=example.com,cn=gssapi,cn=auth" SASL proxy authorize [conn=1000]: authcid="[email protected]" authzid="[email protected]" SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/GSSAPI bind: dn="uid=inst,cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56 do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=<continuing> datalen=32 SASL Canonicalize [conn=1000]: authcid="[email protected]" slap_sasl_getdn: conn 1000 [email protected] [len=26] => ldap_dn2bv(16) <= ldap_dn2bv([email protected],cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 slap_sasl_getdn: u:id converted to [email protected],cn=EXAMPLE.COM,cn=GSSAPI,cn=auth >>> dnNormalize: >>> <[email protected],cn=EXAMPLE.COM,cn=GSSAPI,cn=auth> => ldap_bv2dn([email protected],cn=EXAMPLE.COM,cn=GSSAPI,cn=auth,0) <= ldap_bv2dn([email protected],cn=EXAMPLE.COM,cn=GSSAPI,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv([email protected],cn=example.com,cn=gssapi,cn=auth)=0 <<< dnNormalize: <[email protected],cn=example.com,cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name [email protected],cn=example.com,cn=gssapi,cn=auth to a DN <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=1000]: slapAuthcDN="[email protected],cn=example.com,cn=gssapi,cn=auth" SASL proxy authorize [conn=1000]: authcid="[email protected]" authzid="[email protected]" SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/GSSAPI bind: dn="[email protected],cn=example.com,cn=gssapi,cn=auth" sasl_ssf=56
