[Date Prev][Date Next]
Re: Antwort: Re: SASL/GSSAPI keytab location [Virus checked]
--On Thursday, April 01, 2004 10:44 AM +0200 firstname.lastname@example.org wrote:
This is entirely based on how kerberos was configured on the server you
are using. I suggest you complain to the person who built the package
for you. This is not an OL issue.
Sorry, but I disagree.
The location of a default keytab file is quite irrelevant, simply because
this file should not be used in the first place(*). Everyone who uses
SASL/GSSAPI with openLDAP should IMO use a keytab file that is owned by
ldap, readable only by LDAP, and contains no other keytabs but those
needed for LDAP/SASL/GSSAPI.
Default keytab file is not suitable for this purpose, and thus we have to
define the location of the LDAPs "private" keytab file somewhere.
The fact that I can't configure the location of this keyfile in
/etc/openldap/slapd.conf is annoying, especially considering the fact
that I can configure other sasl-related stuff there.
You can if you use the right environment variables for slapd in your
startup script. But those are Kerberos environment variables.
(*) I'm not a kerberos expert, but AFAIK giving someone a keyfile in
kerberised environment is just like giving him a password. Now, imagine a
situation when several services run on a machine, and each of them needs
a "password" written down in a file. Would you put all passwords in one
file, or would you prefer having only the password(s) that one
application really needs in a file that is only readable by this
You aren't giving someone a keytab. Of course, I run my slapd as root, but
I also run trusted boxes. ;)
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html