SASL (Simple Access Security Layer) Proxy is one of the identity propagation methods. SASL Proxy Authorization allows authenticated users to request that they can act on behalf of another user.Identity Propagation occurs once a user gets authenticated and get authenticated DN, like you can see in the below output.

+++++++++++++++++++++++++++++

SASL/GSSAPI authentication started

SASL username: admin@LINUXMANTRA.LOCAL

SASL SSF: 56

SASL data security layer installed.

dn:uid=admin,dc=linuxmantra,dc=local

+++++++++++++++++++++++++++++++++++++++++++

Authentication process occured using kerberos and authenticated DN is “dn:uid=admin,cn=gssapi,cn=auth”. For getting SASL Proxy authorization, user has to send authorization id to the server. The server will then make a decision on whether or not to allow the authorization to occur. If it is allowed then ldap connection will switch to binddn derived from authorization identity.

The decision to allow an authorization to proceed will depend on policy of ldap server not on SASL. The LDAP administrator will setup of policy for “Who can authorize what identity”. Be default feature of SASL Proxy remains disabled.

The SASL authorization identity needs to be sent to the server, in ldapsearch command we can use –X parameter to specify authorization id.

++++++++++++++++++++++++++++++++++++++++

[vishesh@host2 ~]$ ldapsearch -Y GSSAPI -X “uid=test,dc=linuxmantra,dc=local” -b”dc=linuxmantra,dc=local” -s base

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Insufficient access (50)

additional info: SASL(-14): authorization failure: Inappropriate authentication

+++++++++++++++++++++++++++++++++++++++++

In above given example, SASL authentication done through user DN “dn:uid=admin,dc=linuxmantra,dc=local” and authorization has been asked for DN “uid=test,dc=linuxmantra,dc=local”.

Once the ldap server have authorization id, actual approval process starts. Rules need to written to for authorization.

Asking for authorization may result in error as you can see in above example. We need to map authenticated id to ldap DN through AuthzRegexp, in our example we can set following AuthzRegexp in global configuration file (/etc/openldap/ slapd.d/cn=config.ldif).We also need to set AuthzPolicy (AuthzPolicy: To) for enabling SASL Proxy authorization. In our example, I set below AuthRegexp for mapping.

uid=([^,]*),cn=[^,]*,cn=auth uid=$1,dc=linuxmantra,dc=local

Once we have AuthzPolicy and AuthRegexp in place. We can allow Proxy authorization to a particular DN through authzTo attribute. In our example, I set authzTo for DN “uid=admin,dc=linuxmantra,dc=local”

authzTo: dn.regex:^uid=[^,]*,dc=linuxmantra,dc=local$

Once we have AuthzPolicy and AuthRegexp in place, we have test our SASL Proxy authorization

++++++++++++++++++++++++++++++++++++++

ldapwhoami -Y GSSAPI -U admin -X u:test -H ldap://127.0.0.1

SASL/GSSAPI authentication started

SASL username: u:test

SASL SSF: 56

SASL data security layer installed.

dn:uid=test,dc=linuxmantra,dc=local

——————————————————————–

[root@host2 openldap]# ldapwhoami

SASL/GSSAPI authentication started

SASL username: admin@LINUXMANTRA.LOCAL

SASL SSF: 56

SASL data security layer installed.

dn:uid=admin,dc=linuxmantra,dc=local

++++++++++++++++++++++++++++++++++++++++++