Fedora directory users - Jun 2005 - Subject: SASL and gssapi

I would like to configure the DS to use sasl and gssapi to authenticate 
against a local kerberos realm. 
I have been looking at the administrators guide and I''m a little
confused.
To enable SASL does one simply setup at least one mapping? 
An appropriate SASL mapping for gssapi combined with a ldap service 
principle plus saslauthd and the
cyrus-sasl-gssapi package should be all I need, correct?
If someone could provide a gssapi sasl mapping example I would be grateful, 
I think I want to 
map posix uid''s to uid@REALM.EDU.

rgds Alastair

Alastair Neil wrote:

I would like to configure  the DS to use sasl and gssapi to
authenticate against a local kerberos realm.  

I have been looking at the administrators guide and I''m a little
confused.  

To enable SASL does one simply setup at least one mapping?  

An appropriate SASL mapping for gssapi combined with a ldap service
principle plus saslauthd and the

cyrus-sasl-gssapi package should be all I need, correct?

Yes, I believe so...  Also, I think your Directory Server should know
where the keytab is (if not in the default place)...

export
KRB5_KTNAME=path_to_service_keytab; start-slapd

If someone could provide a gssapi sasl mapping example I
would be grateful, I think I want to 

map posix uid''s to uid@REALM.EDU.

Let''s assume your entry in the DS has the DN "dn:
uid=uid,o=realm.edu". 
Then, the map would be something like this (as seen in "Introduction to
SASL" in the Administrator''s Guide):

dn:
cn=mapname,cn=mapping,cn=sasl,cn=config

objectclass:
top

objectclass:
nsSaslMapping

cn:
mapname

nsSaslMapRegexString: (.*)@(.*)

nsSaslMapBaseDNTemplate: uid=\1,o=\2

nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)

Thanks,

--noriko

Thanks Noriko.  I''ve added a HowTo for this - 
http://directory.fedora.redhat.com/wiki/Howto:Kerberos

Noriko Hosoi wrote:
> Alastair Neil wrote:
>
>>
>> I would like to configure  the DS to use sasl and gssapi to 
>> authenticate against a local kerberos realm. 
>> I have been looking at the administrators guide and I''m a
little
>> confused. 
>> To enable SASL does one simply setup at least one mapping? 
>> An appropriate SASL mapping for gssapi combined with a ldap service 
>> principle plus saslauthd and the
>> cyrus-sasl-gssapi package should be all I need, correct?
>
> Yes, I believe so...  Also, I think your Directory Server should know 
> where the keytab is (if not in the default place)...
>
>     export KRB5_KTNAME=path_to_service_keytab; start-slapd
>
>> If someone could provide a gssapi sasl mapping example I would be 
>> grateful, I think I want to
>> map posix uid''s to uid@REALM.EDU <mailto:uid@REALM.EDU>.
>
> Let''s assume your entry in the DS has the DN "dn: 
> uid=uid,o=realm.edu".  Then, the map would be something like this (as 
> seen in "Introduction to SASL" in the Administrator''s
Guide):
>
> dn: cn=mapname,cn=mapping,cn=sasl,cn=config
> objectclass: top
> objectclass: nsSaslMapping
> cn: mapname
> nsSaslMapRegexString: (.*)@(.*)
> nsSaslMapBaseDNTemplate: uid=\1,o=\2
> nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
>
>
> Thanks,
> --noriko
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Thanks that clears that up. One related question, however, the KRB5_KTNAME 
var would be set where?
With OpenLdap I could set this in /etc/sysconfig/ldap. Also, are there init 
scripts anywhere for starting the 
server?


On 6/24/05, Noriko Hosoi <nhosoi@redhat.com>
wrote:
> 
> Alastair Neil wrote: 
> 
> 
> I would like to configure the DS to use sasl and gssapi to authenticate 
> against a local kerberos realm. 
> I have been looking at the administrators guide and I''m a little
confused.
> 
> To enable SASL does one simply setup at least one mapping? 
> An appropriate SASL mapping for gssapi combined with a ldap service 
> principle plus saslauthd and the
> cyrus-sasl-gssapi package should be all I need, correct?
> 
> Yes, I believe so... Also, I think your Directory Server should know where 
> the keytab is (if not in the default place)...
>  
> export KRB5_KTNAME=*path_to_service_keytab*; start-slapd
> 
> If someone could provide a gssapi sasl mapping example I would be 
> grateful, I think I want to 
> map posix uid''s to *uid*@REALM.EDU <uid@REALM.EDU>.
> 
> Let''s assume your entry in the DS has the DN "dn:
uid=*uid*,o=realm.edu<http://realm.edu>".
> Then, the map would be something like this (as seen in "Introduction
to
> SASL" in the Administrator''s Guide):
> 
> dn: cn=*mapname,*cn=mapping,cn=sasl,cn=config
> objectclass: top
> objectclass: nsSaslMapping
> cn: *mapname*
> nsSaslMapRegexString: (.*)@(.*)
> nsSaslMapBaseDNTemplate: uid=\1,o=\2
> nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
>  
> Thanks,
> --noriko
> 
>

Alastair Neil wrote:
> Thanks that clears that up.  One related question, however, the 
> KRB5_KTNAME var would be set where?
> With OpenLdap  I could set this in /etc/sysconfig/ldap.  Also,  are 
> there init scripts anywhere for starting the
> server?
>
Hi Alastair;

Fedora Directory Server does not have a configuration file to set the 
environment variable for now.  You may want to put it in your 
start-slapd.  Regarding init scripts, you are thinking of scripts under 
/etc/rc#.d?  We don''t provide them, but you could add the 
start/stop/restart function for the Directory Server/Admin Server to 
/etc/rc.local.  I thought it was documented in the doc 
(www.redhat.com/docs/manuals/dir-server/), but somehow I cannot find it 
now... :(  I''ll post it when I find it out.  But it should be 
straightforward...
Thanks,
--noriko