Hello, I try to figure out which ACL I need to get the rewriting of the sasl-username working.
I have in my slapd.conf the following lines:
----------
authz-regexp
uid=(.+),cn=gssapi,cn=auth
ldap:///dc=example,dc=net??sub?(uid=$1)
-----------
If I do a "ldapwhoami" without any ACL I get what I want:
-----------
ptau@provider-stat:~$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:uid=ptau,ou=users,dc=example,dc=net
-----------
As soon as I include my ACLs I get:
------------
ptau@provider-stat:~$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
dn:uid=ptau,cn=gssapi,cn=auth
------------
So the rewrite of the DN is not working anymore with ACLs. Here are the
relevant part of my ACLs. (It's at the beginning of the ACLs)
------------
limits dn.exact="uid=repl-user,ou=users,dc=example,dc=net"
size=unlimited time=unlimited
limits dn.exact="cn=kdc,ou=kerberos-adm,dc=example,dc=net"
size=unlimited time=unlimited
limits dn.exact="cn=kadmin,ou=kerberos-adm,dc=example,dc=net"
size=unlimited time=unlimited
access to dn.base="" by * read
access to dn.base="cn=subSchema" by * read
access to *
by dn.exact="uid=sssd-user,ou=users,dc=example,dc=net" read
by dn.exact="uid=ldap-admin,ou=users,dc=example,dc=net" write
by dn.exact="uid=repl-user,ou=users,dc=example,dc=net" read
by dn.exact="cn=kdc,ou=kerberos-adm,dc=example,dc=net" write
by dn.exact="cn=kadmin,ou=kerberos-adm,dc=example,dc=net" write
by dn.regex="(.+),cn=gssapi,cn=auth" auth
by * break
------------
As soon as I remove the line:
------------
by dn.regex="(.+),cn=gssapi,cn=auth" auth
------------
and change the last line to:
-------------
by * auth
-------------
But this will make all other ACLs, after this ACLs, useless.
I tried so far:
by ssf=256 auth
by sasl_ssf=256 auth
non of the above is working
So it's definitely an ACL issue, but how do I solve it? The log-File is
giving me the following output:
--------------
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 ACCEPT from
IP=192.168.56.81:50728 (IP=0.0.0.0:636)
Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1
Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 TLS
established tls_ssf=256 ssf=256
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=0 BIND dn=""
method=163
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=0 RESULT tag=97
err=14 text=SASL(0): successful result:
Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 1
Dez 20 19:22:46 provider-stat slapd[2038]: connection_input: conn=1004
deferring operation: binding
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=1 BIND dn=""
method=163
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=1 RESULT tag=97
err=14 text=SASL(0): successful result:
Dez 20 19:22:46 provider-stat ldapwhoami[2047]: GSSAPI client step 2
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND dn=""
method=163
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND
authcid="ptau" authzid="ptau"
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 BIND
dn="uid=ptau,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=256 ssf=256
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=2 RESULT tag=97
err=0 text=
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.3
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 WHOAMI
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=3 RESULT oid=
err=0 text=
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 op=4 UNBIND
Dez 20 19:22:46 provider-stat slapd[2038]: conn=1004 fd=20 closed
Dez 20 19:22:46 provider-stat ldapwhoami[2047]: DIGEST-MD5 common mech free
--------------
I think it had something to do with what I found in the manpage:
-------------------
Some internal operations and some controls require specific
access privileges. The authzID mapping and the proxyAuthz control
require auth (=x) privileges on all the attributes that are present
in the
search filter of the URI regexp maps (the right-hand side of
the authz-regexp directives). Auth (=x) privileges are also required on
the authzTo attribute of the authorizing identity and/or on the au‐
thzFrom attribute of the authorized identity. In general, when
an internal lookup is performed for authentication or authorization
purposes, search-specific privileges (see the access requirements for the
search operation illustrated above) are relaxed to auth.
-------------------
But my problem here is, I'm not a native English speaker and it's hard
for me to figure out what the write is telling me here :-(
Any solution for the right ACL to solve the problem?
Greetings
Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
