2 # Copyright 1999-2012 The OpenLDAP Foundation, All Rights Reserved.
3 # COPYING RESTRICTIONS APPLY, see COPYRIGHT.
7 OpenLDAP clients and servers are capable of authenticating via the
8 {{TERM[expand]SASL}} ({{TERM:SASL}}) framework, which is detailed
9 in {{REF:RFC4422}}. This chapter describes how to make use of
12 There are several industry standard authentication mechanisms that
13 can be used with SASL, including {{TERM:GSSAPI}} for {{TERM:Kerberos}}
14 V, {{TERM:DIGEST-MD5}}, and {{TERM:PLAIN}} and {{TERM:EXTERNAL}}
15 for use with {{TERM[expand]TLS}} (TLS).
17 The standard client tools provided with OpenLDAP Software, such as
18 {{ldapsearch}}(1) and {{ldapmodify}}(1), will by default attempt
19 to authenticate the user to the {{TERM:LDAP}} directory server using
20 SASL. Basic authentication service can be set up by the LDAP
21 administrator with a few steps, allowing users to be authenticated
22 to the slapd server as their LDAP entry. With a few extra steps,
23 some users and services can be allowed to exploit SASL's proxy
24 authorization feature, allowing them to authenticate themselves and
25 then switch their identity to that of another user or service.
27 This chapter assumes you have read {{Cyrus SASL for System
28 Administrators}}, provided with the {{PRD:Cyrus SASL}}
29 package (in {{FILE:doc/sysadmin.html}}) and have a working Cyrus
30 SASL installation. You should use the Cyrus SASL {{EX:sample_client}}
31 and {{EX:sample_server}} to test your SASL installation before
32 attempting to make use of it with OpenLDAP Software.
34 Note that in the following text the term {{user}} is used to describe
35 a person or application entity who is connecting to the LDAP server
36 via an LDAP client, such as {{ldapsearch}}(1). That is, the term
37 {{user}} not only applies to both an individual using an LDAP client,
38 but to an application entity which issues LDAP client operations
39 without direct user control. For example, an e-mail server which
40 uses LDAP operations to access information held in an LDAP server
41 is an application entity.
44 H2: SASL Security Considerations
46 SASL offers many different authentication mechanisms. This section
47 briefly outlines security considerations.
49 Some mechanisms, such as PLAIN and LOGIN, offer no greater security
50 over LDAP {{simple}} authentication. Like LDAP {{simple}}
51 authentication, such mechanisms should not be used unless you have
52 adequate security protections in place. It is recommended that
53 these mechanisms be used only in conjunction with {{TERM[expand]TLS}}
54 (TLS). Use of PLAIN and LOGIN are not discussed further in this
57 The DIGEST-MD5 mechanism is the mandatory-to-implement authentication
58 mechanism for LDAPv3. Though DIGEST-MD5 is not a strong authentication
59 mechanism in comparison with trusted third party authentication
60 systems (such as {{TERM:Kerberos}} or public key systems), it does
61 offer significant protections against a number of attacks. Unlike
62 the {{TERM:CRAM-MD5}} mechanism, it prevents chosen plaintext
63 attacks. DIGEST-MD5 is favored over the use of plaintext password
64 mechanisms. The CRAM-MD5 mechanism is deprecated in favor of
65 DIGEST-MD5. Use of {{SECT:DIGEST-MD5}} is discussed below.
67 The GSSAPI mechanism utilizes {{TERM:GSS-API}} {{TERM:Kerberos}} V
68 to provide secure authentication services. The KERBEROS_V4 mechanism
69 is available for those using Kerberos IV. Kerberos is viewed as a
70 secure, distributed authentication system suitable for both small
71 and large enterprises. Use of {{SECT:GSSAPI}} and {{SECT:KERBEROS_V4}}
74 The EXTERNAL mechanism utilizes authentication services provided
75 by lower level network services such as {{TERM[expand]TLS}} ({{TERM:TLS}}). When
76 used in conjunction with {{TERM:TLS}} {{TERM:X.509}}-based public
77 key technology, EXTERNAL offers strong authentication.
78 TLS is discussed in the {{SECT:Using TLS}} chapter.
80 EXTERNAL can also be used with the {{EX:ldapi:///}} transport, as
81 Unix-domain sockets can report the UID and GID of the client process.
83 There are other strong authentication mechanisms to choose from,
84 including {{TERM:OTP}} (one time passwords) and {{TERM:SRP}} (secure
85 remote passwords). These mechanisms are not discussed in this
89 H2: SASL Authentication
91 Getting basic SASL authentication running involves a few steps.
92 The first step configures your slapd server environment so that it
93 can communicate with client programs using the security system in
94 place at your site. This usually involves setting up a service key,
95 a public key, or other form of secret. The second step concerns
96 mapping authentication identities to LDAP {{TERM:DN}}'s, which
97 depends on how entries are laid out in your directory. An explanation
98 of the first step will be given in the next section using Kerberos
99 V4 as an example mechanism. The steps necessary for your site's
100 authentication mechanism will be similar, but a guide to every
101 mechanism available under SASL is beyond the scope of this chapter.
102 The second step is described in the section {{SECT:Mapping
103 Authentication Identities}}.
108 This section describes the use of the SASL GSSAPI mechanism and
109 Kerberos V with OpenLDAP. It will be assumed that you have Kerberos
110 V deployed, you are familiar with the operation of the system, and
111 that your users are trained in its use. This section also assumes
112 you have familiarized yourself with the use of the GSSAPI mechanism
113 by reading {{Configuring GSSAPI and Cyrus SASL}} (provided with
114 Cyrus SASL in the {{FILE:doc/gssapi}} file) and successfully
115 experimented with the Cyrus provided {{EX:sample_server}} and
116 {{EX:sample_client}} applications. General information about
117 Kerberos is available at {{URL:http://web.mit.edu/kerberos/www/}}.
119 To use the GSSAPI mechanism with {{slapd}}(8) one must create a service
120 key with a principal for {{ldap}} service within the realm for the host
121 on which the service runs. For example, if you run {{slapd}} on
122 {{EX:directory.example.com}} and your realm is {{EX:EXAMPLE.COM}},
123 you need to create a service key with the principal:
125 > ldap/directory.example.com@EXAMPLE.COM
127 When {{slapd}}(8) runs, it must have access to this key. This is
128 generally done by placing the key into a keytab file,
129 {{FILE:/etc/krb5.keytab}}. See your Kerberos and Cyrus SASL
130 documentation for information regarding keytab location settings.
132 To use the GSSAPI mechanism to authenticate to the directory, the
133 user obtains a Ticket Granting Ticket (TGT) prior to running the
134 LDAP client. When using OpenLDAP client tools, the user may mandate
135 use of the GSSAPI mechanism by specifying {{EX:-Y GSSAPI}} as a
138 For the purposes of authentication and authorization, {{slapd}}(8)
139 associates an authentication request DN of the form:
141 > uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
143 Continuing our example, a user with the Kerberos principal
144 {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
146 > uid=kurt,cn=example.com,cn=gssapi,cn=auth
148 and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
151 > uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
154 The authentication request DN can be used directly ACLs and
155 {{EX:groupOfNames}} "member" attributes, since it is of legitimate
156 LDAP DN format. Or alternatively, the authentication DN could be
157 mapped before use. See the section {{SECT:Mapping Authentication
158 Identities}} for details.
163 This section describes the use of the SASL KERBEROS_V4 mechanism
164 with OpenLDAP. It will be assumed that you are familiar with the
165 workings of the Kerberos IV security system, and that your site has
166 Kerberos IV deployed. Your users should be familiar with
167 authentication policy, how to receive credentials in
168 a Kerberos ticket cache, and how to refresh expired credentials.
170 Note: KERBEROS_V4 and Kerberos IV are deprecated in favor of GSSAPI
173 Client programs will need to be able to obtain a session key for
174 use when connecting to your LDAP server. This allows the LDAP server
175 to know the identity of the user, and allows the client to know it
176 is connecting to a legitimate server. If encryption layers are to
177 be used, the session key can also be used to help negotiate that
180 The slapd server runs the service called "{{ldap}}", and the server
181 will require a srvtab file with a service key. SASL aware client
182 programs will be obtaining an "ldap" service ticket with the user's
183 ticket granting ticket (TGT), with the instance of the ticket
184 matching the hostname of the OpenLDAP server. For example, if your
185 realm is named {{EX:EXAMPLE.COM}} and the slapd server is running
186 on the host named {{EX:directory.example.com}}, the {{FILE:/etc/srvtab}}
187 file on the server will have a service key
189 > ldap.directory@EXAMPLE.COM
191 When an LDAP client is authenticating a user to the directory using
192 the KERBEROS_IV mechanism, it will request a session key for that
193 same principal, either from the ticket cache or by obtaining a new
194 one from the Kerberos server. This will require the TGT to be
195 available and valid in the cache as well. If it is not present or
196 has expired, the client may print out the message:
198 > ldap_sasl_interactive_bind_s: Local error
200 When the service ticket is obtained, it will be passed to the LDAP
201 server as proof of the user's identity. The server will extract
202 the identity and realm out of the service ticket using SASL
203 library calls, and convert them into an {{authentication request
206 > uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
208 So in our above example, if the user's name were "adamson", the
209 authentication request DN would be:
211 > uid=adamsom,cn=example.com,cn=kerberos_v4,cn=auth
213 This authentication request DN can be used directly ACLs or,
214 alternatively, mapped prior to use. See the section {{SECT:Mapping
215 Authentication Identities}} for details.
220 This section describes the use of the SASL DIGEST-MD5 mechanism
221 using secrets stored either in the directory itself or in Cyrus
222 SASL's own database. DIGEST-MD5 relies on the client and the server
223 sharing a "secret", usually a password. The server generates a
224 challenge and the client a response proving that it knows the shared
225 secret. This is much more secure than simply sending the secret
228 Cyrus SASL supports several shared-secret mechanisms. To do this,
229 it needs access to the plaintext password (unlike mechanisms which
230 pass plaintext passwords over the wire, where the server can store
231 a hashed version of the password).
233 The server's copy of the shared-secret may be stored in Cyrus SASL's
234 own {{sasldb}} database, in an external system accessed via
235 {{saslauthd}}, or in LDAP database itself. In either case it is
236 very important to apply file access controls and LDAP access controls
237 to prevent exposure of the passwords. The configuration and commands
238 discussed in this section assume the use of Cyrus SASL 2.1.
240 To use secrets stored in {{sasldb}}, simply add users with the
241 {{saslpasswd2}} command:
243 > saslpasswd2 -c <username>
245 The passwords for such users must be managed with the {{saslpasswd2}}
248 To use secrets stored in the LDAP directory, place plaintext passwords
249 in the {{EX:userPassword}} attribute. It will be necessary to add
250 an option to {{EX:slapd.conf}} to make sure that passwords set using
251 the LDAP Password Modify Operation are stored in plaintext:
253 > password-hash {CLEARTEXT}
255 Passwords stored in this way can be managed either with {{ldappasswd}}(1)
256 or by simply modifying the {{EX:userPassword}} attribute. Regardless of
257 where the passwords are stored, a mapping will be needed from
258 authentication request DN to user's DN.
260 The DIGEST-MD5 mechanism produces authentication IDs of the form:
262 > uid=<username>,cn=<realm>,cn=digest-md5,cn=auth
264 If the default realm is used, the realm name is omitted from the ID,
267 > uid=<username>,cn=digest-md5,cn=auth
269 See {{SECT: Mapping Authentication Identities}} below for information
270 on optional mapping of identities.
272 With suitable mappings in place, users can specify SASL IDs when
273 performing LDAP operations, and the password stored in {{sasldb}} or in
274 the directory itself will be used to verify the authentication.
275 For example, the user identified by the directory entry:
277 > dn: cn=Andrew Findlay+uid=u000997,dc=example,dc=com
278 > objectclass: inetOrgPerson
279 > objectclass: person
282 > userPassword: secret
284 can issue commands of the form:
286 > ldapsearch -Y DIGEST-MD5 -U u000997 ...
288 Note: in each of the above cases, no authorization identity (e.g.
289 {{EX:-X}}) was provided. Unless you are attempting {{SECT:SASL
290 Proxy Authorization}}, no authorization identity should be specified.
291 The server will infer an authorization identity from authentication
292 identity (as described below).
297 The SASL EXTERNAL mechanism makes use of an authentication performed
298 by a lower-level protocol: usually {{TERM:TLS}} or Unix {{TERM:IPC}}
300 Each transport protocol returns Authentication Identities in its own
303 H4: TLS Authentication Identity Format
305 This is the Subject DN from the client-side certificate.
306 Note that DNs are displayed differently by LDAP and by X.509, so
307 a certificate issued to
308 > C=gb, O=The Example Organisation, CN=A Person
310 will produce an authentication identity of:
312 > cn=A Person,o=The Example Organisation,c=gb
314 Note that you must set a suitable value for TLSVerifyClient to make the server
315 request the use of a client-side certificate. Without this, the SASL EXTERNAL
316 mechanism will not be offered.
317 Refer to the {{SECT:Using TLS}} chapter for details.
319 H4: IPC (ldapi:///) Identity Format
321 This is formed from the Unix UID and GID of the client process:
323 > gidNumber=<number>+uidNumber=<number>,cn=peercred,cn=external,cn=auth
325 Thus, a client process running as {{EX:root}} will be:
327 > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
330 H3: Mapping Authentication Identities
332 The authentication mechanism in the slapd server will use SASL
333 library calls to obtain the authenticated user's "username", based
334 on whatever underlying authentication mechanism was used. This
335 username is in the namespace of the authentication mechanism, and
336 not in the normal LDAP namespace. As stated in the sections above,
337 that username is reformatted into an authentication request DN of
340 > uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
344 > uid=<username>,cn=<mechanism>,cn=auth
346 depending on whether or not <mechanism> employs the concept of
347 "realms". Note also that the realm part will be omitted if the
348 default realm was used in the authentication.
350 The {{ldapwhoami}}(1) command may be used to determine the identity
351 associated with the user. It is very useful for determining proper
352 function of mappings.
354 It is not intended that you should add LDAP entries of the above
355 form to your LDAP database. Chances are you have an LDAP entry for
356 each of the persons that will be authenticating to LDAP, laid out
357 in your directory tree, and the tree does not start at cn=auth.
358 But if your site has a clear mapping between the "username" and an
359 LDAP entry for the person, you will be able to configure your LDAP
360 server to automatically map a authentication request DN to the
361 user's {{authentication DN}}.
363 Note: it is not required that the authentication request DN nor the
364 user's authentication DN resulting from the mapping refer to an
365 entry held in the directory. However, additional capabilities
366 become available (see below).
368 The LDAP administrator will need to tell the slapd server how to
369 map an authentication request DN to a user's authentication DN.
370 This is done by adding one or more {{EX:authz-regexp}} directives to
371 the {{slapd.conf}}(5) file. This directive takes two arguments:
373 > authz-regexp <search pattern> <replacement pattern>
375 The authentication request DN is compared to the search pattern
376 using the regular expression functions {{regcomp}}() and {{regexec}}(),
377 and if it matches, it is rewritten as the replacement pattern. If
378 there are multiple {{EX:authz-regexp}} directives, only the first
379 whose search pattern matches the authentication identity is used.
380 The string that is output from the replacement pattern should be
381 the authentication DN of the user or an LDAP URL. If replacement
382 string produces a DN, the entry named by this DN need not be held
383 by this server. If the replace string produces an LDAP URL, that
384 LDAP URL must evaluate to one and only one entry held by this server.
386 The search pattern can contain any of the regular expression
387 characters listed in {{regexec}}(3C). The main characters of note
388 are dot ".", asterisk "*", and the open and close parenthesis "("
389 and ")". Essentially, the dot matches any character, the asterisk
390 allows zero or more repeats of the immediately preceding character
391 or pattern, and terms in parenthesis are remembered for the replacement
394 The replacement pattern will produce either a DN or URL referring
395 to the user. Anything from the authentication request DN that
396 matched a string in parenthesis in the search pattern is stored in
397 the variable "$1". That variable "$1" can appear in the replacement
398 pattern, and will be replaced by the string from the authentication
399 request DN. If there were multiple sets of parentheses in the search
400 pattern, the variables $2, $3, etc are used.
404 Where possible, direct mapping of the authentication request DN to
405 the user's DN is generally recommended. Aside from avoiding the
406 expense of searching for the user's DN, it allows mapping to
407 DNs which refer to entries not held by this server.
409 Suppose the authentication request DN is written as:
411 > uid=adamson,cn=example.com,cn=gssapi,cn=auth
413 and the user's actual LDAP entry is:
415 > uid=adamson,ou=people,dc=example,dc=com
417 then the following {{EX:authz-regexp}} directive in {{slapd.conf}}(5)
418 would provide for direct mapping.
421 > uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
422 > uid=$1,ou=people,dc=example,dc=com
424 An even more lenient rule could be written as
427 > uid=([^,]*),cn=[^,]*,cn=auth
428 > uid=$1,ou=people,dc=example,dc=com
430 Be careful about setting the search pattern too leniently, however,
431 since it may mistakenly allow persons to become authenticated as a
432 DN to which they should not have access. It is better to write
433 several strict directives than one lenient directive which has
434 security holes. If there is only one authentication mechanism in
435 place at your site, and zero or one realms in use, you might be
436 able to map between authentication identities and LDAP DN's with a
437 single {{EX:authz-regexp}} directive.
439 Don't forget to allow for the case where the realm is omitted as
440 well as the case with an explicitly specified realm. This may well
441 require a separate {{EX:authz-regexp}} directive for each case, with
442 the explicit-realm entry being listed first.
444 H3: Search-based mappings
446 There are a number of cases where mapping to a LDAP URL may be
447 appropriate. For instance, some sites may have person objects
448 located in multiple areas of the LDAP tree, such as if there were
449 an {{EX:ou=accounting}} tree and an {{EX:ou=engineering}} tree,
450 with persons interspersed between them. Or, maybe the desired
451 mapping must be based upon information in the user's information.
452 Consider the need to map the above authentication request DN to
453 user whose entry is as follows:
455 > dn: cn=Mark Adamson,ou=People,dc=Example,dc=COM
456 > objectclass: person
460 The information in the authentication request DN is insufficient
461 to allow the user's DN to be directly derived, instead the user's
462 DN must be searched for. For these situations, a replacement pattern
463 which produces a LDAP URL can be used in the {{EX:authz-regexp}}
464 directives. This URL will then be used to perform an internal
465 search of the LDAP database to find the person's authentication DN.
467 An LDAP URL, similar to other URL's, is of the form
469 > ldap://<host>/<base>?<attrs>?<scope>?<filter>
471 This contains all of the elements necessary to perform an LDAP
472 search: the name of the server <host>, the LDAP DN search base
473 <base>, the LDAP attributes to retrieve <attrs>, the search scope
474 <scope> which is one of the three options "base", "one", or "sub",
475 and lastly an LDAP search filter <filter>. Since the search is for
476 an LDAP DN within the current server, the <host> portion should be
477 empty. The <attrs> field is also ignored since only the DN is of
478 concern. These two elements are left in the format of the URL to
479 maintain the clarity of what information goes where in the string.
481 Suppose that the person in the example from above did in fact have
482 an authentication username of "adamson" and that information was
483 kept in the attribute "uid" in their LDAP entry. The {{EX:authz-regexp}}
484 directive might be written as
487 > uid=([^,]*),cn=example.com,cn=gssapi,cn=auth
488 > ldap:///ou=people,dc=example,dc=com??one?(uid=$1)
490 This will initiate an internal search of the LDAP database inside
491 the slapd server. If the search returns exactly one entry, it is
492 accepted as being the DN of the user. If there are more than one
493 entries returned, or if there are zero entries returned, the
494 authentication fails and the user's connection is left bound as the
495 authentication request DN.
497 The attributes that are used in the search filter <filter> in the
498 URL should be indexed to allow faster searching. If they are not,
499 the authentication step alone can take uncomfortably long periods,
500 and users may assume the server is down.
502 A more complex site might have several realms in use, each mapping
503 to a different subtree in the directory. These can be handled with
504 statements of the form:
506 > # Match Engineering realm
508 > uid=([^,]*),cn=engineering.example.com,cn=digest-md5,cn=auth
509 > ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
511 > # Match Accounting realm
513 > uid=([^,].*),cn=accounting.example.com,cn=digest-md5,cn=auth
514 > ldap:///dc=accounting,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
516 > # Default realm is customers.example.com
518 > uid=([^,]*),cn=digest-md5,cn=auth
519 > ldap:///dc=customers,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))
521 Note that the explicitly-named realms are handled first, to avoid
522 the realm name becoming part of the UID. Also note the use of scope
523 and filters to limit matching to desirable entries.
525 Note as well that {{EX:authz-regexp}} internal search are subject
526 to access controls. Specifically, the authentication identity
527 must have {{EX:auth}} access.
529 See {{slapd.conf}}(5) for more detailed information.
532 H2: SASL Proxy Authorization
534 The SASL offers a feature known as {{proxy authorization}}, which
535 allows an authenticated user to request that they act on the behalf
536 of another user. This step occurs after the user has obtained an
537 authentication DN, and involves sending an authorization identity
538 to the server. The server will then make a decision on whether or
539 not to allow the authorization to occur. If it is allowed, the
540 user's LDAP connection is switched to have a binding DN derived
541 from the authorization identity, and the LDAP session proceeds with
542 the access of the new authorization DN.
544 The decision to allow an authorization to proceed depends on the
545 rules and policies of the site where LDAP is running, and thus
546 cannot be made by SASL alone. The SASL library leaves it up to the
547 server to make the decision. The LDAP administrator sets the
548 guidelines of who can authorize to what identity by adding information
549 into the LDAP database entries. By default, the authorization
550 features are disabled, and must be explicitly configured by the
551 LDAP administrator before use.
554 H3: Uses of Proxy Authorization
556 This sort of service is useful when one entity needs to act on the
557 behalf of many other users. For example, users may be directed to
558 a web page to make changes to their personal information in their
559 LDAP entry. The users authenticate to the web server to establish
560 their identity, but the web server CGI cannot authenticate to the
561 LDAP server as that user to make changes for them. Instead, the
562 web server authenticates itself to the LDAP server as a service
565 > cn=WebUpdate,dc=example,dc=com
567 and then it will SASL authorize to the DN of the user. Once so
568 authorized, the CGI makes changes to the LDAP entry of the user,
569 and as far as the slapd server can tell for its ACLs, it is the
570 user themself on the other end of the connection. The user could
571 have connected to the LDAP server directly and authenticated as
572 themself, but that would require the user to have more knowledge
573 of LDAP clients, knowledge which the web page provides in an easier
576 Proxy authorization can also be used to limit access to an account
577 that has greater access to the database. Such an account, perhaps
578 even the root DN specified in {{slapd.conf}}(5), can have a strict
579 list of people who can authorize to that DN. Changes to the LDAP
580 database could then be only allowed by that DN, and in order to
581 become that DN, users must first authenticate as one of the persons
582 on the list. This allows for better auditing of who made changes
583 to the LDAP database. If people were allowed to authenticate
584 directly to the privileged account, possibly through the {{EX:rootpw}}
585 {{slapd.conf}}(5) directive or through a {{EX:userPassword}}
586 attribute, then auditing becomes more difficult.
588 Note that after a successful proxy authorization, the original
589 authentication DN of the LDAP connection is overwritten by the new
590 DN from the authorization request. If a service program is able to
591 authenticate itself as its own authentication DN and then authorize
592 to other DN's, and it is planning on switching to several different
593 identities during one LDAP session, it will need to authenticate
594 itself each time before authorizing to another DN (or use a different
595 proxy authorization mechanism). The slapd server does not keep
596 record of the service program's ability to switch to other DN's.
597 On authentication mechanisms like Kerberos this will not require
598 multiple connections being made to the Kerberos server, since the
599 user's TGT and "ldap" session key are valid for multiple uses for
600 the several hours of the ticket lifetime.
603 H3: SASL Authorization Identities
605 The SASL authorization identity is sent to the LDAP server via the
606 {{EX:-X}} switch for {{ldapsearch}}(1) and other tools, or in the
607 {{EX:*authzid}} parameter to the {{lutil_sasl_defaults}}() call.
608 The identity can be in one of two forms, either
616 In the first form, the <username> is from the same namespace as
617 the authentication identities above. It is the user's username as
618 it is referred to by the underlying authentication mechanism.
619 Authorization identities of this form are converted into a DN format
620 by the same function that the authentication process used, producing
621 an {{authorization request DN}} of the form
623 > uid=<username>,cn=<realm>,cn=<mechanism>,cn=auth
625 That authorization request DN is then run through the same
626 {{EX:authz-regexp}} process to convert it into a legitimate authorization
627 DN from the database. If it cannot be converted due to a failed
628 search from an LDAP URL, the authorization request fails with
629 "inappropriate access". Otherwise, the DN string is now a legitimate
630 authorization DN ready to undergo approval.
632 If the authorization identity was provided in the second form, with
633 a {{EX:"dn:"}} prefix, the string after the prefix is already in
634 authorization DN form, ready to undergo approval.
637 H3: Proxy Authorization Rules
639 Once slapd has the authorization DN, the actual approval process
640 begins. There are two attributes that the LDAP administrator can
641 put into LDAP entries to allow authorization:
646 Both can be multivalued. The {{EX:authzTo}} attribute is a
647 source rule, and it is placed into the entry associated with the
648 authentication DN to tell what authorization DNs the authenticated
649 DN is allowed to assume. The second attribute is a destination
650 rule, and it is placed into the entry associated with the requested
651 authorization DN to tell which authenticated DNs may assume it.
653 The choice of which authorization policy attribute to use is up to
654 the administrator. Source rules are checked first in the person's
655 authentication DN entry, and if none of the {{EX:authzTo}} rules
656 specify the authorization is permitted, the {{EX:authzFrom}}
657 rules in the authorization DN entry are then checked. If neither
658 case specifies that the request be honored, the request is denied.
659 Since the default behavior is to deny authorization requests, rules
660 only specify that a request be allowed; there are no negative rules
661 telling what authorizations to deny.
663 The value(s) in the two attributes are of the same form as the
664 output of the replacement pattern of a {{EX:authz-regexp}} directive:
665 either a DN or an LDAP URL. For example, if a {{EX:authzTo}}
666 value is a DN, that DN is one the authenticated user can authorize
667 to. On the other hand, if the {{EX:authzTo}} value is an LDAP
668 URL, the URL is used as an internal search of the LDAP database,
669 and the authenticated user can become ANY DN returned by the search.
670 If an LDAP entry looked like:
672 > dn: cn=WebUpdate,dc=example,dc=com
673 > authzTo: ldap:///dc=example,dc=com??sub?(objectclass=person)
675 then any user who authenticated as {{EX:cn=WebUpdate,dc=example,dc=com}}
676 could authorize to any other LDAP entry under the search base
677 {{EX:dc=example,dc=com}} which has an objectClass of {{EX:Person}}.
680 H4: Notes on Proxy Authorization Rules
682 An LDAP URL in a {{EX:authzTo}} or {{EX:authzFrom}} attribute
683 will return a set of DNs. Each DN returned will be checked. Searches
684 which return a large set can cause the authorization process to
685 take an uncomfortably long time. Also, searches should be performed
686 on attributes that have been indexed by slapd.
688 To help produce more sweeping rules for {{EX:authzFrom}} and
689 {{EX:authzTo}}, the values of these attributes are allowed to
690 be DNs with regular expression characters in them. This means a
693 > authzTo: dn.regex:^uid=[^,]*,dc=example,dc=com$
695 would allow that authenticated user to authorize to any DN that
696 matches the regular expression pattern given. This regular expression
697 comparison can be evaluated much faster than an LDAP search for
700 Also note that the values in an authorization rule must be one of
701 the two forms: an LDAP URL or a DN (with or without regular expression
702 characters). Anything that does not begin with "{{EX:ldap://}}" is
703 taken as a DN. It is not permissible to enter another authorization
704 identity of the form "{{EX:u:<username>}}" as an authorization rule.
707 H4: Policy Configuration
709 The decision of which type of rules to use, {{EX:authzFrom}}
710 or {{EX:authzTo}}, will depend on the site's situation. For
711 example, if the set of people who may become a given identity can
712 easily be written as a search filter, then a single destination
713 rule could be written. If the set of people is not easily defined
714 by a search filter, and the set of people is small, it may be better
715 to write a source rule in the entries of each of those people who
716 should be allowed to perform the proxy authorization.
718 By default, processing of proxy authorization rules is disabled.
719 The {{EX:authz-policy}} directive must be set in the
720 {{slapd.conf}}(5) file to enable authorization. This directive can
721 be set to {{EX:none}} for no rules (the default), {{EX:to}} for
722 source rules, {{EX:from}} for destination rules, or {{EX:both}} for
723 both source and destination rules.
725 Source rules are extremely powerful. If ordinary users have
726 access to write the {{EX:authzTo}} attribute in their own
727 entries, then they can write rules that would allow them to authorize
728 as anyone else. As such, when using source rules, the
729 {{EX:authzTo}} attribute should be protected with an ACL that
730 only allows privileged users to set its values.