--On Tuesday, January 23, 2007 4:33 PM -0500 Kenneth Rogers
<[EMAIL PROTECTED]> wrote:
Hi,
After a successful GSSAPI binding, is there an easy way to get the DN
for that user from the server?
Well, are you mapping the users to an entry in the server? If yes, then use
that DN.
If not, then use the SASL authz ID. The logs are generally pretty clear at
loglevel 256 what DN is being used.
For example:
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND
authcid="webauth/[EMAIL PROTECTED]"
authzid="webauth/[EMAIL PROTECTED]"
So here's the authz DN (webauth/[EMAIL PROTECTED]).
Jan 23 14:29:00 ldap1 slapd[22096]: conn=11888542 op=2 BIND
dn="cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu" mech=GSSAPI
ssf=56
And here's the DN of what I map it to:
cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
In case you haven't played with mappings, here's how the mapping is done:
sasl-regexp uid=webauth/(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldap:///cn=Webauth,cn=Applications,dc=stanford,dc=edu??sub?krb5PrincipalName=webauth/[EMAIL PROTECTED]
And this is what the internal entry looks like:
ldap1:~> lsearch cn=proxy
dn: cn=proxy,cn=webauth,cn=applications,dc=stanford,dc=edu
objectClass: applicationProcess
objectClass: suApplication
objectClass: krb5Principal
cn: proxy
description: webauth access for proxy.stanford.edu
krb5PrincipalName: webauth/[EMAIL PROTECTED]
Just to give you some thoughts to ponder. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
