directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quanah Gibson-Mount <>
Subject Re: [SASL] SASL questions
Date Fri, 02 Mar 2007 00:35:57 GMT

--On Thursday, March 01, 2007 4:24 PM -0800 Enrique Rodriguez 
<> wrote:

> Hi, Directory developers,
> I have time this weekend so I'm looking at adding SASL\GSSAPI\Kerberos
> V5 to LDAP binds.  After reading some RFCs and ApacheDS internals, I
> have a couple questions:
> 1)  The Authenticator.authenticate() method requires an LdapDN.
> GSSAPI returns a Kerberos principal name.  What's the best way to map
> this to a DN?  We could use a regex, like OpenLDAP, but since we have
> access to the Kerberos attributes, we can also search directly for the
> principal name by specifying a baseDN.  This means an extra lookup,
> but it may mean easier config.  Do we want to require that the
> principal name map to a DN with a regex?
> For example:
> GSSAPI returns:  hnelson@EXAMPLE.COM
> Desired DN:      uid=hnelson,ou=users,dc=example,dc=com
> With OpenLDAP you specify mappings using the format:
> uid=<username>,cn=<realm>,cn=<mech>,cn=auth
> A resulting regex for our typical example LDIF would be:
> sasl-regexp
>           uid=(.*),,cn=gssapi,cn=auth
>           uid=$1,ou=users,dc=example,dc=com
> The alternative would be to specify a baseDN, like we do for other
> lookups.  We then search for the principal name and use the found DN.
> Our configuration could be:
> gssapiBaseDn = ou=users,dc=example,dc=com

My only comment here is that in my environment, I have more than just users 
that use Kerberos to bind to the server.  For example, I have cgi, service, 
webauth, and ldap principles.  They are all in their own trees, like:



So I have multiple regex's in my slapd.conf:

sasl-regexp uid=(.*)/cgi,,cn=gssapi,cn=auth 
sasl-regexp uid=service/(.*),,cn=gssapi,cn=auth 
sasl-regexp uid=webauth/(.*),,cn=gssapi,cn=auth 
sasl-regexp uid=(.*),,cn=gssapi,cn=auth 

In particular, if you look at the last one, this is dealing with Accounts. 
Rather than looking at their Kerberos krb5Name at all, I do a direct 
mapping if they have an active "full" account.  All users have kerberos 
principals, but not all users have "full" accounts.  So in the case that 
they don't have "full" accounts, I don't want them to just automatically be 
able to search the directory with an authenticated view.

> 2)  Any opinion on the 'authenticatorType' to use?  Doco seems to
> indicate that the choices are "none," "simple," and "strong."
> However, it might be better (ie more modular) to have an authenticator
> for each SASL type, eg "sasl-gssapi" and "sasl-digest-md5."  Even with
> 2 SASL mechanisms supported we could be looking at one large
> Authenticator.  Would that be a pain for embedders, in which case we
> could use "strong" and have a separate env property if we decide to
> have multiple authenticators?

My only question here is if this is a reference to the strength of the 
connection, but I'm guessing it isn't.  One of the things OpenLDAP lets me 
do is enforce encryption strength of connections.  For example, in my ACL 
files, I have:

    by dn.base="cn=lsdb,cn=Service,cn=Applications,dc=stanford,dc=edu" 
sasl_ssf=56 read

which means the SASL SSF must be at least strength 56.  Java and other 
applications will by default connect via SASL/GSSAPI with *no* encryption 

> 3)  I'm planning on adding GSSAPI.  What other SASL types are actually
> used?

SASL/EXTERNAL is used a lot (Cert authentication)
SASL/DIGEST-MD5 is used a lot


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key:

View raw message