--On Thursday, March 01, 2007 4:24 PM -0800 Enrique Rodriguez
<[EMAIL PROTECTED]> wrote:
Hi, Directory developers,
I have time this weekend so I'm looking at adding SASL\GSSAPI\Kerberos
V5 to LDAP binds. After reading some RFCs and ApacheDS internals, I
have a couple questions:
1) The Authenticator.authenticate() method requires an LdapDN.
GSSAPI returns a Kerberos principal name. What's the best way to map
this to a DN? We could use a regex, like OpenLDAP, but since we have
access to the Kerberos attributes, we can also search directly for the
principal name by specifying a baseDN. This means an extra lookup,
but it may mean easier config. Do we want to require that the
principal name map to a DN with a regex?
For example:
GSSAPI returns: [EMAIL PROTECTED]
Desired DN: uid=hnelson,ou=users,dc=example,dc=com
With OpenLDAP you specify mappings using the format:
uid=<username>,cn=<realm>,cn=<mech>,cn=auth
A resulting regex for our typical example LDIF would be:
sasl-regexp
uid=(.*),cn=example.com,cn=gssapi,cn=auth
uid=$1,ou=users,dc=example,dc=com
The alternative would be to specify a baseDN, like we do for other
lookups. We then search for the principal name and use the found DN.
Our configuration could be:
gssapiBaseDn = ou=users,dc=example,dc=com
My only comment here is that in my environment, I have more than just users
that use Kerberos to bind to the server. For example, I have cgi, service,
webauth, and ldap principles. They are all in their own trees, like:
cn=web,cn=service,cn=applications,dc=stanford,dc=edu
cn=www,cn=webauth,cn=applications,dc=stanford,dc=edu
cn=quanah,cn=cgi,cn=applications,dc=stanford,dc=edu
etc.
So I have multiple regex's in my slapd.conf:
sasl-regexp uid=(.*)/cgi,cn=stanford.edu,cn=gssapi,cn=auth
ldap:///cn=cgi,cn=applications,dc=stanford,dc=edu??sub?krb5PrincipalName=$1/[EMAIL PROTECTED]
sasl-regexp uid=service/(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldap:///cn=Service,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=service/[EMAIL PROTECTED]
sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/[EMAIL PROTECTED]
sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldap:///uid=$1,cn=Accounts,dc=stanford,dc=edu??sub?suSeasStatus=active
In particular, if you look at the last one, this is dealing with Accounts.
Rather than looking at their Kerberos krb5Name at all, I do a direct
mapping if they have an active "full" account. All users have kerberos
principals, but not all users have "full" accounts. So in the case that
they don't have "full" accounts, I don't want them to just automatically be
able to search the directory with an authenticated view.
2) Any opinion on the 'authenticatorType' to use? Doco seems to
indicate that the choices are "none," "simple," and "strong."
However, it might be better (ie more modular) to have an authenticator
for each SASL type, eg "sasl-gssapi" and "sasl-digest-md5." Even with
2 SASL mechanisms supported we could be looking at one large
Authenticator. Would that be a pain for embedders, in which case we
could use "strong" and have a separate env property if we decide to
have multiple authenticators?
My only question here is if this is a reference to the strength of the
connection, but I'm guessing it isn't. One of the things OpenLDAP lets me
do is enforce encryption strength of connections. For example, in my ACL
files, I have:
by dn.base="cn=lsdb,cn=Service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
which means the SASL SSF must be at least strength 56. Java and other
applications will by default connect via SASL/GSSAPI with *no* encryption
(yuck!).
3) I'm planning on adding GSSAPI. What other SASL types are actually
used?
SASL/EXTERNAL is used a lot (Cert authentication)
SASL/DIGEST-MD5 is used a lot
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
