[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS+Heimdal+SASL+Openv2 all chrooted...



Hi everybody,
First , scuse for my poor english ..
i experienced to puzzled these all program to work each others..
For many problems and time, it 's work !! But now, i have a few questions to replace all correctly in my brain :)
So, let's go :
i want to chroot these programs but i don't know if i correctly understand what it is good for ;(
For example, openldap.. Only daemon slapd have to be chrooted or ldapsearch and rests of programs too ?
in fact i do this well for slapd but like i've said, i have installed heimdal and of course, ldap must have access to keytab (and krb5.conf and tmp cache) through sasl right ?
i only use sasl like third party layer so i don't chrooted sasl but only incorporated sasl lib into my ldap chroot necessary library .. right anymore.. ?
My first brain mistake is that i thought that chrooting something is for not allowed a friendly honest person :) to hack my daemon and trying to have name and pass of some users but when i search this lists for help doing that, i found some persons who said that they are putting a copy of keytab (and rests of heimdal config file) in their chrooted environment??? I understand that base of chrooting is not to sharing but if you give yourself information ?? i know it's crypted but users login are visible.. second , how are they updating informations ?? by copying all files all times ??
i personnaly using ldapsearch in the chroot directory but not with chroot command so it seems to retrieving informations from outside jail (heimdal informations except this keytab and libsasl compiled outside) it seems to worked.. Slapd is good chrooted but programs are not.
is it good or my brain is really tired of all this compilations ?
I try to symbolinc link from original keytab but logicaly it fails cause cannot go outside jail..
Second, is anybody done to launch kdc with non-root uid ?
Third, is anybody done to install mod_auth_kerb with apache and heimdal (it seems to designed for mit..) or have a patch ?
Fourth really escuse for my french english :)
Thanks for all
thierry W