kerberosopenldapsasl

Access two different RootDN with Single Admin Kerberos Principal

as an admin, I've been trying to make 2 different RootDN accounts login with a single kerberos account lately.

I have two different rootDN and password

-D "cn=admin,cn=config" 
-D "cn=admin,dc=example,dc=com"

when I login via Kerberos like;

kinit ldap/admin

I want to use both with "ldap/admin" principal;

-D "cn=admin,cn=config" -W -Y GSSAPI
-D "cn=admin,dc=example,dc=com" -W -Y GSSAPI

I have applied the relevant commands to achieve this, but I can only access one ROOTDN, but I want to operate on both. How can I do this without olcAccess?

olcAuthzRegexp: {0}"uid=ldap/admin,cn=example.com,cn=gssapi,cn=auth" "cn=admin,dc=example,dc=com'
olcAuthzRegexp: {1}"uid=ldap/admin,cn=example.com,cn=gssapi,cn=auth" "cn=admin,cn=config'

I try access two Different RootDN with Single Principal

Solution

  • The -D and -W options only apply to simple binds. For SASL bind, you need to use -X to specify the SASL "authorization identity":

    $ ldapwhoami -Y GSSAPI -X "dn:cn=admin,cn=config"

    However, olcAuthzRegexp only defines the default authzid (i.e. the regexps are used for authnid transformation to authzid) and is not what you want for -X.

    In order to be allowed to specify custom identities, I believe you need to use olcAuthzPolicy in combination with either authzTo on your own authnid entry, or authzFrom on the entry that you intend to impersonate. (Yes, the rootDN can have an actual entry.)

    For example, with olcAuthzPolicy: any, the entry would need to have:

    dn: cn=admin,dc=example,dc=com
authzFrom: {0}dn.exact="uid=ldap/admin,cn=example.com,cn=gssapi,cn=auth"

    If you are not able to create a real entry at cn=admin,cn=config (the config backend will most likely not support this), you will need to use the opposite approach with authzTo instead:

    1. Define olcAuthzRegexp to map your "cn=gssapi,cn=auth" DN to one real DN that exists in the main database backend:

      olcAuthzRegexp: {0}"uid=ldap/admin,cn=example.com,cn=gssapi,cn=auth" "cn=admin,dc=example,dc=com"

      Verify that your connections are authorized as this DN by default:

      $ ldapwhoami -Y GSSAPI
dn:cn=admin,dc=example,dc=com

    2. Actually create the DN, with its authzTo attributes listing the DNs that it is allowed to impersonate (authorize as):

      dn: cn=admin,dc=example,dc=com
authzTo: {0}dn.exact="cn=admin,cn=config"

    3. Set olcAuthzPolicy to both or from, then use the -X option to specify the DN that you want to assume:

      $ ldapwhoami -Y GSSAPI -X "dn:cn=admin,cn=config"
dn:cn=admin,cn=config

    Make sure users are not allowed to edit authzTo on their own entries, or any other entry. Use olcAccess to prevent this.