LDAP a nefunkcni "Search-based mappings"
Zdenek Kaminski
sutr na valasske-laboratore.cz
Úterý Červenec 17 15:31:05 CEST 2012
Ahoj,
Ahoj,
zprovoznil jsem si na RHEL6 podle serii clanku na abclinuxu.cz kerberos a
ldap.
Vse mi funguje tak, jak ma. Uzivatele jsou autentizovani proti Kerberovi,
udaje o
uzivatelich jsou ulozeny v LDAPu.
Pri prihlaseni do systemu a ziskani ticketu zavolam ldapwhoami a
dostavam:
kcln0$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: zdenek_kaminski na VALASSKE-LABORATORE.CZ
SASL SSF: 56
SASL data security layer installed.
dn:uid=zdenek_kaminski,cn=gssapi,cn=auth
coz znamena, ze mi LDAP server v souÄasnĂŠ konfiguraci identifikuje
uĹživatele pomocĂ
distinguished name ze jmennĂŠho prostoru SASL , a ne ze jmennĂŠho prostoru
LDAP
stromu.
Pouziji-li tzv. "direct mapping" identity ado konfigurace LDAPu doplnim:
authz-regexp
uid=([^,]*),cn=gssapi,cn=auth
uid=$1,ou=people,dc=kvm,dc=projects,dc=valasske-laboratore,dc=cz
...spravne pak pri ldapwhoami vidim:
SASL/GSSAPI authentication started
SASL username: zdenek_kaminski na VALASSKE-LABORATORE.CZ
SASL SSF: 56
SASL data security layer installed.
dn:uid=zdenek_kaminski,ou=people,dc=kvm,dc=projects,dc=valasske-laboratore,dc=cz
Ja vsak mam ve svem stromu uzivatele na vice mistech, pricemz uid neni
nikde stejne,
a rad bych pouzil tzv. "Search-based mappings". Kdyz vsak do konfigurace
LDAPu dam
authz-regexp
uid=([^,]*),cn=gssapi,cn=auth
ldap:///dc=valasske-laboratore,dc=cz??one?(uid=$1)
dostavam:
SASL/GSSAPI authentication started
SASL username: zdenek_kaminski na VALASSKE-LABORATORE.CZ
SASL SSF: 56
SASL data security layer installed.
dn:uid=zdenek_kaminski,cn=gssapi,cn=auth
Ve /var/log/messages nic (a v jinych logach take ne), kdyz zvysim debug
level u slapd na 5, v jeho vypisu v pripade statickeho mapovani vidim:
slap_sasl_getdn: u:id converted to uid=zdenek_kaminski,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=zdenek_kaminski,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=zdenek_kaminski,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=zdenek_kaminski,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=zdenek_kaminski,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=zdenek_kaminski,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=zdenek_kaminski,cn=gssapi,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=zdenek_kaminski,cn=gssapi,cn=auth'
==> rewrite_rule_apply rule='uid=([^,]*),cn=gssapi,cn=auth' string='uid=zdenek_kaminski,cn=gssapi,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz'}
[rw] authid: "uid=zdenek_kaminski,cn=gssapi,cn=auth" -> "uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz"
slap_parseURI: parsing uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz
ldap_url_parse_ext(uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz)
>>> dnNormalize: <uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz>
=> ldap_bv2dn(uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz,0)
<= ldap_bv2dn(uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz)=0
<<< dnNormalize: <uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz>
<==slap_sasl2dn: Converted SASL name to uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz
slap_sasl_getdn: dn:id converted to uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz
SASL Canonicalize [conn=1007]: slapAuthcDN="uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz"
SASL proxy authorize [conn=1007]: authcid="zdenek_kaminski" authzid="zdenek_kaminski"
SASL Authorize [conn=1007]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz" sasl_ssf=56
send_ldap_response: msgid=4 tag=97 err=0
ber_flush2: 14 bytes to sd 12
<== slap_sasl_bind: rc=0
.... coz se mi zda v poradku. A v pripade "search-based mappings":
slap_sasl_getdn: u:id converted to uid=zdenek_kaminski,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=zdenek_kaminski,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=zdenek_kaminski,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=zdenek_kaminski,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=zdenek_kaminski,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=zdenek_kaminski,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=zdenek_kaminski,cn=gssapi,cn=auth to a DN
==> rewrite_context_apply [depth=1] string='uid=zdenek_kaminski,cn=gssapi,cn=auth'
==> rewrite_rule_apply rule='uid=([^,]*),cn=gssapi,cn=auth' string='uid=zdenek_kaminski,cn=gssapi,cn=auth' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'ldap:///dc=valasske-laboratore,dc=cz??one?(uid=zdenek_kaminski)'}
[rw] authid: "uid=zdenek_kaminski,cn=gssapi,cn=auth" -> "ldap:///dc=valasske-laboratore,dc=cz??one?(uid=zdenek_kaminski)"
slap_parseURI: parsing ldap:///dc=valasske-laboratore,dc=cz??one?(uid=zdenek_kaminski)
ldap_url_parse_ext(ldap:///dc=valasske-laboratore,dc=cz??one?(uid=zdenek_kaminski))
put_filter: "(uid=zdenek_kaminski)"
put_filter: simple
put_simple_filter: "uid=zdenek_kaminski"
ber_scanf fmt ({mm}) ber:
>>> dnNormalize: <dc=valasske-laboratore,dc=cz>
=> ldap_bv2dn(dc=valasske-laboratore,dc=cz,0)
<= ldap_bv2dn(dc=valasske-laboratore,dc=cz)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=valasske-laboratore,dc=cz)=0
<<< dnNormalize: <dc=valasske-laboratore,dc=cz>
slap_sasl2dn: performing internal search (base=dc=valasske-laboratore,dc=cz, scope=1)
=> bdb_search
bdb_dn2entry("dc=valasske-laboratore,dc=cz")
=> bdb_dn2id("dc=valasske-laboratore,dc=cz")
<= bdb_dn2id: got id=0x1
entry_decode: "dc=valasske-laboratore,dc=cz"
<= entry_decode(dc=valasske-laboratore,dc=cz)
search_candidates: base="dc=valasske-laboratore,dc=cz" (0x00000001) scope=1
=> bdb_dn2idl("dc=valasske-laboratore,dc=cz")
bdb_idl_fetch_key: %dc=valasske-laboratore,dc=cz
<= bdb_dn2idl: id=3 first=2 last=4
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30988)
<= bdb_equality_candidates: id=0, first=0, last=0
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [aedb2a7e]
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=7, last=7
bdb_search_candidates: id=0 first=2 last=0
bdb_search: no candidates
send_ldap_result: conn=1000 op=3 p=3
send_ldap_result: err=0 matched="" text=""
<==slap_sasl2dn: Converted SASL name to <nothing>
Pritom v ldapsearch i jako anonymous toho uzivatele najdu:
kdc0-new# ldapsearch -x -H ldap://kdc0.kvm.valasske-laboratore.cz -b 'dc=valasske-laboratore,dc=cz' uid=zdenek_kaminski
# extended LDIF
#
# LDAPv3
# base <dc=valasske-laboratore,dc=cz> with scope subtree
# filter: uid=zdenek_kaminski
# requesting: ALL
#
# zdenek_kaminski, people, valasske-laboratore.cz
dn: uid=zdenek_kaminski,ou=people,dc=valasske-laboratore,dc=cz
cn: Zdenek Kaminski
gidNumber: 20001
homeDirectory: /exports/home/zdenek_kaminski
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: person
objectClass: top
sn: Kaminski
uid: zdenek_kaminski
uidNumber: 10001
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Nakopnete me prosim nekdo spravnym smerem?
Z.K.
--
Wallachian Laboratories? Freeride in UN*X systems...
Další informace o konferenci Linux