[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: SASL/GSSAPI keytab location [Virus checked]



--On Thursday, April 01, 2004 10:44 AM +0200 denis.havlik@t-mobile.at wrote:


This is entirely based on how kerberos was configured on the server you
are  using.  I suggest you complain to the person who built the package
for you.  This is not an OL issue.


Sorry, but I disagree.

The location of a default keytab file is quite irrelevant, simply because
this file should not be used in the first place(*). Everyone who uses
SASL/GSSAPI with openLDAP should IMO use a keytab file that is owned by
ldap, readable only by LDAP, and contains no other keytabs but those
needed for LDAP/SASL/GSSAPI.
Default keytab file is not suitable for this purpose, and thus we have to
define the location of the LDAPs "private" keytab file somewhere.

The fact that I can't configure the location of this keyfile in
/etc/openldap/slapd.conf is annoying, especially considering the fact
that I can configure other sasl-related stuff there.

You can if you use the right environment variables for slapd in your startup script. But those are Kerberos environment variables.

(*) I'm not a kerberos expert, but AFAIK giving someone a keyfile in
kerberised environment is just like giving him a password. Now, imagine a
situation when several services run on a machine, and each of them needs
a "password" written down in a file. Would you put all passwords in one
file, or would you prefer having only the password(s) that one
application really needs in a file that is only readable by this
application?

You aren't giving someone a keytab. Of course, I run my slapd as root, but I also run trusted boxes. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html