[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: Re: SASL/GSSAPI keytab location [Virus checked]

>--On Wednesday, March 31, 2004 11:34 AM +0200 denis.havlik@t-mobile.at

>> Hi, folks
>> I've fiinally found out how to tell LDAP/SASL where to look for the
>> kerberos keytab file. This does not seem to be a very well known piece of
>> information, so here it comes:
>> ******************************************************
>># cat /usr/lib/sasl2/slapd.conf
>> pwcheck_method: saslauthd
>> keytab:        /etc/openldap/ldap.krb5.keytab
>> ******************************************************

>This is entirely based on how kerberos was configured on the server you are
>using.  I suggest you complain to the person who built the package for you.
>This is not an OL issue.

Sorry, but I disagree.

The location of a default keytab file is quite irrelevant, simply because this file should not be used in the first place(*). Everyone who uses SASL/GSSAPI with openLDAP should IMO use a keytab file that is owned by ldap, readable only by LDAP, and contains no other keytabs but those needed for LDAP/SASL/GSSAPI.
Default keytab file is not suitable for this purpose, and thus we have to define the location of the LDAPs "private" keytab file somewhere.

The fact that I can't configure the location of this keyfile in /etc/openldap/slapd.conf is annoying, especially considering the fact that I can configure other sasl-related stuff there.

Besides, I find the logic behind it difficult to understand. If "sasl-realm" and "sasl-host" are legitime configuration options for openLDAP, what's wrong with "sasl-keytab", and "sasl-pwcheck_method"?

(*) I'm not a kerberos expert, but AFAIK giving someone a keyfile in kerberised environment is just like giving him a password. Now, imagine a situation when several services run on a machine, and each of them needs a "password" written down in a file. Would you put all passwords in one file, or would you prefer having only the password(s) that one application really needs in a file that is only readable by this application?  

The same is true for kerberos keytabs: Giving LDAP access to keytab file with keytabs for other services is as far as I can see a BadIdea(TM). Giving other services access to LDAP keytab is equaly bad.