[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL/GSSAPI keytab location

To: openldap-software@OpenLDAP.org
Subject: SASL/GSSAPI keytab location
From: denis.havlik@t-mobile.at
Date: Wed, 31 Mar 2004 11:34:26 +0200

Hi, folks

I've fiinally found out how to tell LDAP/SASL where to look for the kerberos keytab file. This does not seem to be a very well known piece of information, so here it comes:

******************************************************
# cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
keytab: /etc/openldap/ldap.krb5.keytab
******************************************************

("keytab" is the one I'm talking about,the "saslauthd" is used for simple bind with "userPassword: {SASL}principal@REALM")

In case you wonder why this is so important:

1) keytabs are like passwords. this one should only be readable by ldap, and contain the ldap/FQHN key. (in fact, I've added the host/FQHN key too, not sure if it's needed or not.)
2) Default position of the keytab file (which should be readable only by root anyway) is not always the same. It changed from /etc/krb5.keytab, to
/etc/heimdal/krb5.keytab when Buchan recompiled the openldap & sasl against heimdal libs...
3) SASL error messages on ldap bind are (as usual) rather unhelpful:

1) wrong "keytab" definition:

ldap_sasl_interactive_bind_s: No such attribute (16)

2) no keytab definition, keytab not found:

ldap_sasl_interactive_bind_s: Invalid credentials (49)
aditional info: SASL(-13) authentication failure: GSAPI Failure: gss_accept_sec_context.

Maybe some folks are able to interpret this kind of messages, personally I prefer avoiding them. .-)

QUESTION: I would highly prefer NOT having yet another configuration file, especially not in /usr/lib. According to SASL docs, applications could somehow forward this kind of info to sasl, i.e. it should be possible to define this stuff in /etc/openldap/slapd.conf.

I tried with "sasl-keytab", but it does not work with openldap 2.1.25. Anyone knows if this can be done somehow?

thx
Denis

T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik, eMail: denis.havlik@t-mobile.at
Rennweg 12, Zi. 444 Phone: +43-1-79-585/6237
A-1030 Vienna Fax: +43-1-795-85/6584

Follow-Ups:
- Re: SASL/GSSAPI keytab location
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: RE: password synchronzation
Next by Date: RE: Antwort: RE: indexing all attributes [Virus checked]
Index(es):
- Chronological
- Thread