Re: ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chavez, James R. wrote:

If you do not mind I have another question? I can not get an answer on
any lists but I think I am on the right track..
I have all my users in my openldap directory with their usernames or
uid's in the unix 8 character format of first initial of the first name
and then 7 characters of last name. So for example jmontana. These I
migrated from our NIS domain into the directory. I can authenticate
fine. The issue is the powers that be want everything joined to Active
Directory. The AD user account principals are in the format of
firstname_lastname or joe_montana. They do not match the naming format
of the ldap uid's. It is worth mentioning that if I rename the unix or
ldap uid to first_last I can login perfectly using kerberos credentials
but I would rather map the uids to stay consistent with unix naming
scheme..
I need to login and authenticate with the kerberos credentials and have 
those map to the 8 character unix or ldap uid's.
Now the reason I wanted to use gssapi is because it mentions the use of
authz-regexp to map the authentication DN from the gssapi dn to a dn
existing in the directory unless I am misunderstanding.

When I issue an ldapwhoami, I get the following.
dn: uid=joe_montana,dc=gssapi,dc=auth ......
But an ldapwhoami should map to. uid=jmontana,ou=people,dc=example,dc=com ........ 

For logging in can cyrus-sasl-gssapi help me accomplish this? Or is it
more for service principals? Trying to understand.
I'm not exactly clear on what your end result is going to be, but there are a couple of ways I can think of to accomplish the authz-regexp match.
If the usernames are strict and always follow the same format, you should be able to do: 

authz-regexp "uid=(.).*_(.......),cn=gssapi,cn=auth"
   uid=$1$2,ou=people,dc=example,dc=com
Although the sasl mechanism doesn't necessarily need to be gssapi. You can use any mechanism.
Or you can add an attribute within your ldap entries, such as 'altUID' (this is made up) which contains the long-name format, and then use an internal search to find the appropriate entry: 

authz-regexp "uid=$1,cn=gssapi,cn=auth"
   ldap:///ou=people,dc=example,dc=com??one?(altUid=$1)

Where your entry would resemble

dn: uid=jmontana,ou=people,dc=example,dc=com
...
altUid: joe_montana

- Dan
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux