On Sat, Mar 07, 2015 at 10:59:39AM +0100, Michael Ströder wrote:
Jakub Hrozek wrote:
> On Fri, Mar 06, 2015 at 08:26:29PM +0100, Michael Ströder wrote:
>> Funny. It really works! (tested again)
>>
>> With EXTERNAL you don't have to do anything special in your code except not
>> filtering out EXTERNAL being used as SASL mech because libldap will do
>> everything for you.
>
> Can you send me the logs for examination, please?
Do you mean the sssd logs?
Which log level would you like to see?
> The way I read the logs, only GSSAPI should be supported..so needless to
> say I'm a bit suprised.
The setup would not work if SASL bind EXTERNAL is not sent by sssd. I can see
in the OpenLDAP server's log that the authc-DN (cert subject DN) is correctly
rewritten to the accompanying LDAP authz-DN which definitely wouldn't be the
case for non-SASL/EXTERNAL bind.
The authz-DN-mapping in OpenLDAP's config:
authz-regexp
"cn=([a-zA-Z0-9.-]+),ou=ito,o=stroeder.com,l=karlsruhe,st=ba-wue,c=de"
"ldap:///ou=ae-dir??sub?(&(objectClass=aeHost)(host=$1)(aeStatus=0))"
See the sssd.conf attached.
Thank you.
Yes, can you also send me the sssd domain logs?
I re-read the logs again and you're right we don't seem to error out on
on anything else than GSSAPI (which is what I thought previously).
Nonetheless, it would be great to see the domain logs.