>Identity Propagation

By | June 25, 2013

>

SASL (Simple Access Security Layer) Proxy is one of the identity propagation methods. SASL Proxy Authorization allows authenticated user to request that they can act on behalf on another user.Identity Propagation occurs once user get authenticated and get authenticated DN, like you can see in below output.

+++++++++++++++++++++++++++++
SASL/GSSAPI authentication started
SASL username: admin@LINUXMANTRA.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn:uid=admin,dc=linuxmantra,dc=local
++++++++++++++++++++++++++++++
Authentication process occurred using kerberos and authenticated DN is “dn:uid=admin,cn=gssapi,cn=auth”. For getting SASL Proxy authorization, user has to send authorization id to the server. The server will then make a decision on whether or not to allow the authorization to occur. If it is allowed then ldap connection will switch to binddn derived from authorization identity.

The decision to allow an authorization to proceed will depend on the policy of ldap server not on SASL. The LDAP administrator will setup a policy for “Who can authorize to what identity”. Be default feature of SASL Proxy remain disabled.

The SASL authorization identity need to be sent to the server, in ldapsearch command we can use –X parameter to specify authorization id.
+++++++++++++++++++++++++++++++++++++++++++++++++++++
[vishesh@host2 ~]$ ldapsearch -Y GSSAPI -X “uid=test,dc=linuxmantra,dc=local” -b”dc=linuxmantra,dc=local” -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Insufficient access (50)
        additional info: SASL(-14): authorization failure: Inappropriate authentication
++++++++++++++++++++++++++++++++++++++++++++++++++++

In the above given example, SASL authentication has done through user DN “dn:uid=admin,dc=linuxmantra,dc=local”  and authorization has been asked for DN “uid=test,dc=linuxmantra,dc=local”.

Once the ldap server have authorization id, actual approval process starts. Rules need to written to for authorization.

Asking for authorization may result in error as you can see in the above example. We need to map the authenticated id to ldap DN through AuthzRegexp, in our example we can set following AuthzRegexp in global configuration file (/etc/openldap/ slapd.d/cn=config.ldif).We also need to set AuthzPolicy (AuthzPolicy: To) for enabling SASL Proxy authorization. In the  our given example, I set below AuthRegexp for mapping.

uid=([^,]*),cn=[^,]*,cn=auth uid=$1,dc=linuxmantra,dc=local

Once we have AuthzPolicy and AuthRegexp in place. We can allow Proxy authorization to a particular DN through authzTo attribute. In our example, I set authzTo for DN “uid=admin,dc=linuxmantra,dc=local”

authzTo: dn.regex:^uid=[^,]*,dc=linuxmantra,dc=local$

Once we have AuthzPolicy and AuthRegexp in place, we have test our SASL Proxy authorization

+++++++++++Authorized DN is+++++++++++++++++++++

ldapwhoami -X dn:uid=test,dc=linuxmantra,dc=local
SASL/GSSAPI authentication started
SASL username: dn:uid=test,dc=linuxmantra,dc=local
SASL SSF: 56
SASL data security layer installed.
dn:uid=test,dc=linuxmantra,dc=local

———————-While Authenticated DN is ———————————–

[root@host2 openldap]# ldapwhoami
SASL/GSSAPI authentication started
SASL username: admin@LINUXMANTRA.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn:uid=admin,dc=linuxmantra,dc=local
+++++++++++++++++++++++++++++++++++++++++++++++

Share itShare on FacebookEmail this to someoneTweet about this on TwitterShare on Google+Share on LinkedInPrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *

Current month ye@r day *